GDPR key terms explained
GDPR is a hot topic in businesses just now and there is a phenomenal effort underway across the UK to ensure GDPR compliance. Like many regulatory documents it can be hard to digest exactly what is being said. I have compiled a list of GDPR key terms that you may come across along with my interpretations of them.
The “data subject” is the living individual to whom the personal data relates. Please note that institutions and organisations are not data subjects. If you target consumers, then this is likely to be your customer or prospective customer.
This is the organisation or person who decides how the data will be used and for what purpose. If you are consumer focused, then this is likely to be your organisation because you are making decisions on how your data (acquired or captured) is used.
Is an organisation or person (that is not employed by the data controller) who processes data on behalf of a data controller. If you have a third party processing or managing your data then this is them. Some businesses will be both the data controller and data processor. This is the case if you carry out marketing using data that you have captured yourself.
This is data that directly or indirectly identifies the data subject. If you are the data controller this is data in your possession or data that is likely to come into your possession. Personal data includes expressions of opinions the data controller (or any other person) has about the data subject. An example of this would be the notes about the data subject that you have stored in a CRM system.
Other personal data includes:
- Identification numbers (NI number for example)
- Location data
- IP address
- Cookie information
- Information relating to the data subject’s physical, physiological, genetic, mental, economic, cultural or social identify of the data subject
This list is not exhaustive. If you are consumer focused business it is highly likely that you hold personal data.
Sensitive personal data
This is data which relates to the data subjects beliefs such as which way they lean politically or religiously. It also includes racial or ethnic origin, trade union membership, medical and health records, and sexual orientation.
The GDPR calls sensitive personal data ‘special categories of data’ and includes all the categories listed above with the addition of genetic and biometric data that uniquely identifies an individual.
The GDPR does not include criminal records as ‘special categories of data’. However criminal records are currently considered ‘sensitive data’ under the current data protection act. It is highly likely that the UK’s implementation of GDPR (the new UK Data Protection Bill) will include criminal records as sensitive personal data.
Consumer focused businesses may not have this sort data. However you may have this data if you are recruitment or an accountancy firm for example. In all cases a review should be carried out to see what data you actually have.
This is probably the most flexible aspect of the GDPR for processing data. Legitimate interest would mean processing data in way that the data subject would expect. You need a very compelling reason to process this data under this circumstance.
When choosing to rely on this you are accepting extra responsibility for protecting people’s rights and interests. Therefore you are taking on additional risk.
You should test your use of data against three principles:
- Can you identify a legitimate interest?
- You must demonstrate that processing is absolutely necessary. Also you need to prove that this cannot be achieved in a less intrusive way.
- You must demonstrate that there is sensible balance between processing the data and the data subject’s rights and freedoms.
Legitimate interest can mean that of your business or the data subjects. Again, you need to establish a balance between your commercial interest and the individual’s interest
If the data subject would not reasonably expect the processing of their data, or it causes harm or injury, then legitimate interest is not the way to determine consent.
You should make sure you complete a legitimate interests assessment (LIA) so you can demonstrate compliance if you are asked to do so. If there is a miss-matched balance between your business interests and that of the data subject, then the data subject’s right will prevail, and you will have breached GDPR.
If you choose “legitimate interest” as an alternative to consent you’ll need to state this to the data subject. Receiving no engagement from the data subject means that you do not have continued consent.
Lastly you must include details of your legitimate interest in your privacy information.
Whilst this may seems like a more flexible feature of GDPR, there is more risk. It is much better to receive active consent from a data subject than rely on this path.
B2B and B2C
Most of these terms related to B2C communications and privacy and there are different (more relaxed) expectations for B2B businesses. If you are B2B business it is still recommend that you review your data policies, you may have data looks like business information but under GDPR it is personal. Also consider whether you are data processor. If you are then GDPR is definitely relevant to you.
About this article
I have interpreted this from the various GDPR guidance documentation. Whilst this might provide a simpler read, it is only designed to provide my overall interpretation of the GDPR key terms. GDPR impact varies depending on what your business does. You must be comfortable with the GDPR key terms and the regulation as whole and make your own interpretation of the regulatory documentations. Also GDPR has a different impact on different industries so you seek professional advice. Additionally the ICO can provide some answers.