GDPR for the uninitiated – what the terms mean

One of the first hurdles of getting to grips with GDPR is understanding the document itself.  With 99 Articles making up the Letter of the Law, and 173 Recitals explaining it, there is a lot to get through.

To get you started, here is our beginners’ guide to what some of the terms mean, in plain language:

GDPR: Global Data Protection Regulation – sometimes just referred to as the Regulation. It will be enacted in the UK on 25th May 2018.

Data Subject: a person; an identifiable individual. There is no longer a difference between B2B data and B2C data. For the purposes of the GDPR they are one and the same.

Personal Data: any information relating to an identified or identifiable natural person, i.e. name, address, telephone number, ID number. Where GDPR adds another layer is that this now also covers location data and online identifiers.

Data Controller: the organisation that collects Personal Data and decides how it will be used, i.e. an event company, publishing company, membership body, list agency.

Data Processor: the organisation that processes Personal Data on behalf of the Data Controller, i.e. your CRM, registration solution, email broadcast system. As a Data Controller it is your responsibility to ensure that you have appropriate contracts in place with all of your Data Processing partners.

Data Protection Officer (DPO): The identifiable person responsible for managing and monitoring compliance with the Regulation.
Do you need one? In the final version of the GDPR you are only obligated to have a DPO if you are: a) a public authority, b) an organisation that engages in large-scale systematic monitoring, or c) an organisation that engages in large-scale processing of sensitive Personal Data (see the definition of this below).
However, if you aren’t obligated to have a DPO, you must designate a competent, nominated individual/team responsible for compliance. Essentially you can’t assign this to the ‘it’s someone’s job but I don’t know whose’ pile.

Supervisory Authority: Effectively the GDPR police. In the UK this is the Information Commissioner’s Office (ICO). If you are a multinational company with offices in more than one European country your Supervisory Authority will be the one in which marketing activities are headquartered.

Sensitive Personal Data: There are 8 categories of sensitive Personal Data or ‘special categories’. If you want to collect any of the following types of information then you will need to have explicit Consent to process it, your security systems will need to be of the highest level and you will need to appoint a DPO:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Data concerning health or sex life
  • Sexual orientation