How-to guide: Understanding key data protection definitions (UK)

Introduction

This guide is a glossary of key definitions and terminology relevant to data protection and is intended to be a useful reference resource for in-house counsel and private practice lawyers advising in this area. It combines statutory definitions, and working definitions/other relevant terminology, as informed by regulatory guidance and practice.

This guide covers:

Overview – legal framework
Key definitions

There are special rules under the UK GDPR (as defined below) relating to processing by law enforcement and intelligence services but this guide does not deal with these. Instead, it focuses on those requirements that will be most relevant to commercial organisations.

This guide can be used in conjunction with How-to guides: How to deal with an ICO dawn raid, How to reduce the risk of a data breach, How to ensure compliance with the GDPR and How to deal with a data breach, and Checklists: Managing a dawn raid, Data subject access rights under the GDPR, What to include in your organisation’s privacy notice, GDPR compliance self-assessment audit, When and how to appoint a data protection officer and When it is lawful to process personal data.

Section 1 - Overview – legal framework

The guide covers the requirements under:

Regulation 2016/679 – General Data Protection Regulation (EU GDPR)
the EU GDPR as it forms part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR)
the Data Protection Act 2018 (UK DPA 2018)
various UK Information Commissioner’s Office (ICO) guidance, and
various European Data Protection Board (EDBP) guidance.

Section 2 - Key definitions

Section 3 of the UK DPA 2018 is the main definitions section of that Act. Article 4 is the definitions section of both the UK GDPR and the EU GDPR. References below to the ‘GDPR’ mean either the EU GDPR or the UK GDPR, unless specified otherwise.

Where there are differences between these laws, these are marked up in the downloadable version of this guide.

Where it is helpful to do so, both the UK and the EU provisions have been set out side by side, and/or an explanation has been included as to where they differ.

Key terms under the EU GDPR which have not been carried over to the UK GDPR (such as ‘main establishment’ and ‘supervisory authority’) have been omitted.

Key terms are set out below in alphabetical order.

2.1 ‘Anonymous data’

‘…information which does not relate to an identified or identifiable natural person or … personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.’

Recital (26), GDPR.

Anonymisation involves removing identifiers that would enable an individual to be singled out or be re-identified using other data (ie, to create aggregated statistical data). Properly anonymised data is not personal data and therefore the GDPR does not apply to it.

However, if there are reasonably available means to re-identify the individuals whose data it is (when combined with other data), the data will not have been properly anonymised and instead will only be pseudonymised (see also ‘pseudonymisation’ below).

2.2 ‘Automated decision-making’

Automated decision-making refers to making a decision solely by automated means without any human involvement.

Article 22, GDPR imposes certain conditions on this type of decision-making where it has legal or similarly significant effects for individuals. Section 14, UK DPA 2018 includes additional safeguards for automated decision-making that is authorised by law.

2.3 ‘Binding corporate rules’ or ‘BCRs’

‘Personal data protection policies which are adhered to by a controller or processor established in the United Kingdom for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.’

Article 4(20), GDPR; Schedule 21, part 3, paragraph 9, UK DPA 2018.

BCRs are an appropriate safeguard for intra-group international data transfers. UK BCRs must be approved by the Information Commissioner. EU BCRs continue to be valid in the UK as an appropriate safeguard for data transfers, provided that the organisation gets a valid UK BCR approved by the ICO. However, the adequacy agreement between the EU and the UK is currently due to end on 27 June 2025 and it is not yet known as to whether this period will be extended.

See ICO’s guide to Binding Corporate Rules for further information.

2.4 ‘Biometric data’

‘Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.’

Article 4(14), GDPR; sections 10 and 11 and section 205(1) UK DPA 2018.

Biometric data that is used to uniquely identify someone is ‘special category data’ under article 9, GDPR (see below). The GDPR and UK DPA 2018 impose additional requirements on processing such data.

2.5 ‘Consent’ (of the data subject)

‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

Article 4(11), GDPR.

Data subject consent is one of a number of lawful bases under clause 6, GDPR upon which personal data is permitted to be processed. Article 7, GDPR sets out further conditions for valid consent. See also ‘explicit consent’ below.

2.6 ‘Controller’

‘The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; ’

Article 4(7), GDPR.

In addition, section 6 (2), UK DPA 2018 provides:

‘For the purposes of the UK GDPR, where personal data is processed only—

(a) for purposes for which it is required by an enactment to be processed, and

(b) by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.’

The controller is the organisation that makes the key decisions as to why, and by what means, personal data will be processed.

A controller may engage processors to process personal data on their behalf (see ‘processor’ below). Whether a party is a processor or controller is a factual issue and has different consequences in terms of legal compliance obligations and liability.

2.7 ‘The Commissioner’

‘The Information Commissioner.’

Article 4(A3), UK GDPR; section 114 and Schedule 12, UK DPA 2018

The Information Commissioner is the UK’s data protection regulator. The Information Commissioner’s Office is also known as the ICO.

2.8 ‘Criminal data’

This is a shorthand way of describing processing of personal data related to criminal convictions and offences under article 10, GDPR.

In the UK, criminal data is subject to similar additional conditions to those which apply to special category data, as set out in sections 10 and 11(2) and Schedule 1, UK DPA 2018 (see below).

2.9 ‘Data concerning health’

‘Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status.’

Article 4(15), GDPR; Section 205(1) and Schedule 1, UK DPA 2018

Data concerning health is ‘special category data’ under article 9, GDPR (see below). The GDPR and UK DPA 2018 impose additional requirements on processing such data, but special rules do apply due to the potential significant risks to an individual’s fundamental rights and freedoms.

2.10 ‘Data protection officer’ (or DPO)

Articles 37 to 39, GDPR

A person appointed by a controller or processor with certain responsibilities under the UK GDPR or EU GDPR for data protection compliance.

2.11 ‘Data subject’

‘the identified or identifiable living individual to whom personal data relates.

‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to—

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.’

Sections 3(3) and (5), UK DPA 2018.

A data subject is the person to whom the information relates. In the UK, data protection laws only apply to living individuals.

Article 4(1), GDPR defines ‘data subject’ slightly differently by referring to ‘natural person’ instead of ‘living individual’ and to ‘data’ in the plural rather than the singular, and is formatted differently.

2.12 ‘Domestic law’

‘The law of the United Kingdom or of a part of the United Kingdom.’

Article 4(A2), UK GDPR.

This term has been introduced into the UK GDPR to largely replace the references in various provisions of the EU GDPR to ‘Union or Member State law’.

2.13 ‘Enterprise’

‘A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.’

Article 4(18), GDPR.

An enterprise essentially means a business. This term is relevant to the provisions of the GDPR relating to ‘BCRs’ (Article 47, GDPR and see above), data processing records (Article 30, GDPR), codes of conduct (Article 40, GDPR) and certification (Article 42, GDPR).

2.14 ‘EU GDPR’

Section 3(10A), UK DPA 2018.

This is to distinguish between:

the EU GDPR; and
the UK GDPR (ie, the EU GDPR as this has been brought into UK domestic law).

The EU GDPR and the UK GDPR are similar in many respects but there are some differences, and further divergence is likely to happen in the future, particularly if the UK government’s plans for its data protection law strategy are enacted. The UK Data Protection and Digital Information Bill which proposes amendments to various pieces of UK legislation, including the UK GDPR, the UK DPA 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) was laid before the UK Parliament on 18 July 2022, marking a significant step in the post-Brexit reform of the UK data protection regime. The bill’s passage through the UK’s legislative process was paused in September 2022 to allow for further consideration following changes to the UK’s governmental leadership. A new bill - the Data Protection and Digital Information (No. 2) Bill - was introduced on 8 March 2023 and builds on the previous text. The Bill is designed to make the legal framework more user friendly and accessible for both businesses and individuals.

2.15 ‘Explicit consent’

‘Explicit consent’ is an exemption to the prohibition on special category data processing under article 9 and Schedule 1, UK DPA 2018. It can also be used to permit solely automated decision-making and international data transfers. This differs from standard consent (see ‘consent’ above) in that (in addition to the standard consent requirements) it requires a very clear and specific statement of consent (ie to be confirmed in words).

2.16 ‘Filing system’

‘any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.’

Article 4(6), GDPR; Section 3(7), UK DPA 2018.

This definition implies that personal data needs to be organised in some way.

It is relevant to the material scope of processing of personal data to which the applicable data protection regime applies (see article 2, UK GDPR). The UK GDPR does not cover information that is not, or is not intended to be, part of a ‘filing system’.

The exception to this is unstructured manual information (ie, unstructured paper records) processed only by public authorities. While such information is still personal data, it is exempted from most requirements under the UK GDPR.

2.17 ‘Foreign designated authority’

‘An authority designated for the purposes of Article 13 of the Data Protection Convention (as defined by section 3 of the [UK DPA 2018]) by a party, other than the United Kingdom, which is bound by that Convention.’

Article 4(21A), UK GDPR; paragraph 3, Schedule 13, UK DPA 2018.

This refers to cooperation by the Information Commissioner with national data protection authorities in other countries.

‘The Data Protection Convention’ means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data that was opened for signature on 28 January 1981, as amended up to the day on which the UK DPA 2018 was passed.

The Data Protection Convention has been signed by the Members of the Council of Europe and ratified by certain other non-European countries. A current list of signatories and ratifying parties can be found here: Complete list of the Council of Europe's treaties.

2.18 ‘Genetic data’

‘Personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual and which results, in particular, from an analysis of a biological sample from the individual in question.’

Article 4(13), GDPR; section 205(1) and Schedule 1, UK DPA 2018.

The GDPR and the UK DPA 2018 use slightly different language but the differences are not substantive.

Processing of genetic data for the purpose of uniquely identifying a natural person will involve processing special categories of personal data (see below) to which Article 9, GDPR applies.

Additional conditions are imposed on processing this more sensitive type of data, including specific requirements under Schedule 1, part 2, UK DPA 2018 (eg, in the context of insurance and support for individuals with a particular disability or medical condition).

2.19 ‘Group of undertakings’

‘A controlling undertaking and its controlled undertakings.’

Article 4(19), GDPR.

This term is used in the context of the provisions relating to:

binding corporate rules (see definition above and article 47, GDPR);
prior consultation (article 36, GDPR); and
data protection officers (article 37, GDPR).

‘Undertaking’ is not defined in the GDPR but assumes the same meaning as under EU competition law – namely, any entity engaged in an economic activity, that is, an activity consisting in offering goods or services on a given market, regardless of its legal status and the way in which it is financed (see articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU)). The concept of control under competition law concerns the ability of an undertaking to exercise decisive influence over another undertaking.

The term ‘undertaking’ is also relevant to the calculation of administrative fines under Article 83, GDPR and section 157, UK DPA 2018.

2.20 ‘Information society service’

‘A service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council as it has effect immediately before IP completion day.’

Article 4(25), GDPR.

‘Information society services’ covers a range of online services.

This term is used in the context of obtaining children’s consent in relation to online services under Article 8, GDPR, to which additional conditions apply. It also may be relevant to the data subject rights of erasure and objection.

See definition of ‘IP completion day’ below.

2.21 ‘International organisation’

‘An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.’

Article 4(26), GDPR; section 205(1), UK DPA 2018.

This term is relevant to international data transfers under Chapter V and other provisions of the GDPR that impose obligations regarding such transfers (eg, article 13 (transparency)).

2.22 ‘IP completion day’

This means 11pm (GMT) on 31 December 2020, being the end of the implementation period for the UK to transition away from the EU’s laws and institutions.

The transitional arrangements under the UK-EU Withdrawal Agreement deferred certain legal effects of Brexit in UK law and meant the UK had to continue to adhere to EU law from exit day until 11pm on 31 December 2020 (IP completion day). This is a key date that is referred to in various provisions of both the UK GDPR (articles 2, 4, 21 and 95) and the UK DPA 2018 (eg, Schedule 21).

2.23 ‘Personal data’

‘[a]ny information relating to an identified or identifiable living individual (subject to subsection (14)(c)) [which confirms the scope of personal data to which the UK DPA 2018 applies]. “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to— (a) an identifier such as a name, an identification number, location data or an online identifier, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Sections 3(2) and (3), UK DPA 2018; article 4(1), GDPR.

Personal data essentially means any information which, by itself or together with other information, can be used to identify a person. In the UK, this has to be a living person but in some EU jurisdictions information relating to deceased persons is protected by certain aspects of data protection law.

2.24 ‘Personal data breach’

‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’

Article 4(12), GDPR.

A personal data breach is effectively a security incident that involves personal data. Controllers have obligations to inform data protection regulators (article 33, GDPR) and affected data subjects (article 34, GDPR) about personal data breaches.

2.25 ‘Processing’

‘in relation to information, [this] means any operation or set of operations which is performed on information, or on sets of information, (a) collection, recording, organisation, structuring or storage, (b) adaptation or alteration, (c) retrieval, consultation or use, (d) disclosure by transmission, dissemination or otherwise making available, (e) alignment or combination, or (f) restriction, erasure or destruction, (subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).’

Section 3(4), UK DPA 2018; article 4(2), GDPR.

Processing is a broad term which covers more or less any use of data.

The UK GDPR applies to the processing of personal data that is:

wholly or partly by automated means; or
the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

The EU GDPR includes a similar definition but this explicitly refers to both automated and non-automated processing.

2.26 ‘Processor’

‘A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’

Article 4(8), GDPR; section 3(6), UK DPA 2018.

A processor must follow the controller’s instructions when processing personal data on their behalf. Whether a party is a processor or controller is a factual issue and has different consequences in terms of legal compliance obligations and liability.

2.27 ‘Profiling’

‘Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’

Article 4(4), GDPR.

Profiling means automated processing of personal data to evaluate certain aspects about a person, eg, how they might behave or respond in various ways. When profiling is part of an automated decision-making process, additional requirements apply (see ‘Automated decision-making’ above).

2.28 ‘Pseudonymisation’

‘The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.’

Article 4(5), GDPR.

Pseudonymisation is a technique or data management tool that removes directly identifiable data about individuals, keeping that information separate so they are no longer identifiable. Examples include; using key-coding/persistent IDs/hashing techniques in place of names or email addresses. It is a measure that can make data more secure, but pseudonymised data will still be ‘personal data’ as if such data is combined with other data that individual may re-identified.

2.29 ‘Public authority’ and ‘Public body’

‘are to be interpreted in accordance with section 7 of the [UK DPA 2018] and provision made under that section.’

Article 4 (10A), UK GDPR.

‘For the purposes of the UK GDPR, the following (and only the following) are ‘public authorities’ and ‘public bodies’ under the law of the United Kingdom— (a) a public authority as defined by the Freedom of Information Act 2000, (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), and (c) an authority or body specified or described by the Secretary of State in regulations, subject to subsections (2), (3) and (4)…’

Section 7, UK DPA 2018.

The UK GDPR and UK DPA 2018 essentially follow the definition of ‘public authority’ under Freedom of Information legislation and other regulations. This is subject to specific qualifications.

2.30 ‘Recipient’

‘A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.’

Article 4(9), GDPR.

Recipient means a person or body to which personal data is disclosed.

This term is relevant to the provisions regarding transparency/information notices, data subject rights, data processing records, international data transfers and enforcement action.

2.31 ‘Representative’

‘A natural or legal person established in the United Kingdom who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.’

Article 4(17), GDPR.

A representative needs to be appointed in certain circumstances (see article 27, UK GDPR) when personal data of individuals in the UK is being processed by an organisation that does not have an establishment in the UK. Equivalent requirements apply under the EU GDPR.

A representative serves as a point of contact for data subjects and the data protection authority (ie the ICO). Enforcement action can be taken against representatives.

2.32 ‘Restriction of processing’

‘The marking of stored personal data with the aim of limiting their processing in the future.’

Article 4(3), GDPR.

In practice, restriction of processing means using technical or other measures to pause or limit processing of personal data.

Restriction of processing is a data subject right under article 18, GDPR. The controller will have to restrict processing of personal data if certain conditions are met. Certain exceptions or limitations to this right are set out in Schedule 2, UK DPA 2018.

2.33 ‘Special category data’

‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.’

Article 9, GDPR; sections 10 and 11 and Schedule 1, UK DPA 2018.

This is a shorthand way of describing ‘special categories of personal data’ under article 9, GDPR, which is extracted above. The GDPR and UK DPA 2018 impose additional conditions on processing this more sensitive type of personal data.

2.34 ‘Third country’

‘A country or territory outside the United Kingdom.’

Article 4(27), UK GDPR.

This term is relevant to the provisions relating to international data transfers under Chapter V, GDPR and sections 17 and 18, UK DPA 2018.

The equivalent EU GDPR definition applies to countries or territories outside the EU (or the EEA by virtue of relevant legislation), meaning that the UK is designated as a third country. Additional requirements need to be met if personal data is to be transferred to a third country from the UK or the EEA if there is not an adequacy decision in place. (There is currently an EU adequacy decision in place for the UK and a UK adequacy decision in place for the EEA countries, but see 2.3 above). The European Commission and UK have granted various other countries adequacy. See Checklist: GDPR Compliance self-assessment audit Step 8.

2.35 ‘Third party’

‘A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.’

Article 4(10), GDPR.

The term ‘third party’ is used in various contexts under the GDPR to refer to a party that is somehow involved in data processing (other than the controller, processor or data subject) and are authorised to do so.

2.36 ‘UK GDPR’

‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.’

Sections 3(10) and 205(4), UK DPA 2018.

UK GDPR is the EU GDPR, as this has been written into UK domestic law, with certain minor amendments.

Additional resources

ICO Key data protection terms
ICO Glossary of terms
General data protection regulation – Keeling schedule
The Data Protection Act 2018 – Keeling schedule
Guide to the UK General Data Protection Regulation (UK GDPR) | ICO

Filed under

Topics

Personal data