10 Key GDPR Terms You Need to Know

by Sarah Harvey / July 3rd, 2018

The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.

Key GDPR Terms Defined

Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:

1. A person located in the EU,
2. A resident of the EU,
3. A citizen of the EU,
4. An EU resident/citizen physically located anywhere in the world, or
5. A person whose personal data is processed within the EU, regardless of that person’s location.

Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.

Controller: The natural or legal entity that regulates the purpose and means of processing personal data. The greater the decision-making authority an organization has regarding what personal data to obtain from data subjects and how to use that personal data, the more likely it is that an organization takes on the responsibilities of a data controller.

Processing: Processing is any action that impacts or uses personal data, including accessing, collecting, storing, archiving, reviewing, or destroying.5. Processor The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Processor: The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Data Protection Officer (DPO): An individual that has expert knowledge of data protection laws, coordinates with data subjects and supervisory authorities, participates in data protection impact assessments, and monitors GDPR compliance.

Supervisory Authority: Independent, public authorities for each EU member state that are responsible for monitoring the application of GDPR and addressing non-compliance. For example:

• National Commission of Computing and Freedoms in France

• The Federal Commissioner for Data Protection and Freedom of Information in Germany

• Agency of Protection of Data in Spain

• The Information Commissioner’s Office in the United Kingdom

Joint Controller: When two or more controllers jointly have authority over and determine the purposes and means for processing personal data.

Controller-Processor: An organization or person identified as both a controller and a processor.

Sub-processor: An organization that processes personal data on behalf of a processor. Sub-processors must comply with the same contractual and compliance requirements as a processor.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.