This week, as part of our series on GDPR, we are looking at the key definitions in the EU General Data Protection Regulation to help you decide which of the obligations of GDPR do indeed apply to your business.

Data Controller

Like the existing Data Protection Act (DPA), the GDPR applies to Data Controllers who process personal data. So first, who is the Data Controller? This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with other people.

Data Processor

Unlike the DPA, the GDPR introduces specific responsibilities for the Data Processor. These are third parties that process data on behalf of the Data Controller and includes IT service providers (many of which are among our clients). In a later post, we’ll look at the specific responsibilities of Data Processors, especially when processing is subcontracted to other Data Processors.

By the way, an employee of a company which decides what and how personal data is to be processed is a Data Controller, not a Data Processor.

Personal Data

The GDPR has a broader definition of what constitutes personal data than the DPA, by incorporating reference to identifiers such as name, identification numbers, IP address and location. Each person to which the personal data refers is known as a Data Subject.

Sensitive Personal Data

Again, the GDPR definition of sensitive personal data is slightly broader than under the DPA. The main addition is biometric data, for the purposes of uniquely identifying a person. Actually, the GDPR talks about a special category of personal data rather than sensitive personal data but the definition is almost the same. The table below illustrates what is sensitive and what isn’t, and what isn’t personal data – but as this excellent article discussing the subject suggests, if you are asking yourself if it’s personal data or not, why not err on the side of caution and treat it as if it is?

Right To Be Forgotten

The right to erasure of personal data or ‘the right to be forgotten’ enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. We’ll talk more about this in the next post when we discuss consent.

Data Protection Officer

A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business will need to appoint a data protection officer – you need to do so if:

  • Your organisation is a public authority; or
  • You carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • You carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Data Protection Authority

The Data Protection Authority in the UK will still be the UK Information Commissioner, who is tasked by the EU with the monitoring and enforcement of the GDPR within the UK. The European Data Protection Board is the “super regulator” consisting of the heads of each national supervisory authority. The Queen’s Speech last week announced a new Data Protection Bill to remove any doubt that the UK will implement GDPR so that it continues to be in force after Brexit takes effect.


Derogation, meaning an exemption from the regulations, is something under active discussion within the DCMS at the moment (Department for Culture Media and Sport, the relevant government department). I’m a member of the GDPR working group of TechUK, the software and IT services industry body whose views DCMS seeks while drafting guidelines and derogations for GDPR.

Adequacy and Transfer of Data outside the EEA

If the UK leaves not only the EU but also the EEA, crucially the GDPR allows transferring data outside the EEA to any country or territory in respect of which the Commission has made a “positive finding of adequacy” i.e. is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data? Achieving this “positive finding of adequacy” is one of the main aims of the consultation that DCMS is holding at the moment.


Pseudonymisation is a method by which personal data is processed such that it can no longer be tied to an individual data subject without linking to additional data. This does offer scope for some forms of data processing to avoid the obligations attendant on processing personal data, as long as the data being provided for processing doesn’t include the additional dataset(s).

Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is an obligatory method of identifying and reducing privacy risks to individuals through the misuse of their personal information when you are undertaking new projects handling personal data.


Profiling means automated processing of personal data for evaluation analysis or prediction. When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

Further reading

This is by no means a complete list of the definitions used in the GDPR but it is the most important ones, other than terms like consent and Subject Access Requests which we will discuss in later posts.

In the next post, we’ll look at when you need consent.