General data protection regulation is one of the biggest legislations in relevance affecting a huge population all over the world. It contains a long list of acts that need to be followed. A layperson will find it difficult to grasp its content with all the legal terms in it. There are a few key terms in it learning which you will be able to have a better understanding of what the law demands.

This article will help you learn those key terms which are frequently repeated and is the core of the whole GDPR regulation. 

Personal data

Under GDPR, the term personal data holds paramount importance. It is because GDPR regulation applies only to data that falls under the definition of personal data. Hence, personal data refers to all data that directly or indirectly (in combination with other data) can be used as a means to identify a person. This data includes a name, address, ID number, online identity or even information including the physical, genetic, physiological, mental, economic, cultural or social identity of that person.

Sensitive Personal Data

Sensitive personal data refers to all sort of data that reveals sensitive information like biometric data, sexual orientation, race, religious beliefs, political opinions, etc., regarding a person. GDPR strictly prohibits the collection, transfer, and storage of these data without the prior consent of the individual.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Controller

It is any person, organization or body that decides the purpose of collecting personal data from EU citizens, how it is processed, where it is stored and for how long, etc. Familiar examples of individual data controllers include physicians, pharmacists, lawyers, etc., who keep personal information from their patients, clients, etc. Then for data controller organizations, the best examples are large or small, profit or not for profit, private or government-owned organizations who keep information regarding their employees, clients, etc.

Data Subject

As per the GDPR regulation, a data subject is a natural person who belongs to the European Union. It can be an individual, a customer, a prospect, an employee, etc. The whole regulation refers to the person whose data is being collected and processed as “data subject” throughout it.


Consent is “any freely given, specific, informed and unambiguous”, indication of a data subject’s wish in the form of affirmative action, agreeing to have their personal data collected and processed. When allowing consent the data subject should be clearly made aware of why their data is being collected, stored, etc., in a clear and intelligible way.

Data Processor

Data processor is any natural, legal person, agency, or other bodies that process personal data as per the instruction from a data controller. 

Data Protection Officer

Data protection officer is an appointed individual who is in charge of ensuring that all the GDPR policies and procedures are complied according to the law. Every organization or business doesn’t have to appoint a data protection officer, you only need to appoint one if you meet any of the following conditions.

       |) If your organization is a public authority

      ||) If you are carrying out large scale monitoring of individuals.

     |||) If you do the processing of special categories of data or data relating to criminal convictions and offenses on a large scale.

Data Protection Authority

It is the national authority which protects the data of individuals 

Biometric Data

It is the personal data developed from the specific processing of the physical features of a person in order to identify that person.

Data Processing

Data processing is defined as any operation or set of operations performed on personal data or set of personal data. It can be automated or not. This include processes like collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Profiling

Data profiling is the automated processing of personal data to evaluate certain personal aspects of an individual such as work, economic situation, location, health, personal preferences, reliability, or behavior.


It is the processing of data so that it can never be attributed to a data subject without using certain additional data. Coded data sets used in clinical trials is a good example of pseudonymized data.

Binding Corporate Rules (BCR)

It is a set of rules adopted by multinational companies itself for allowing them and other organizations to transfer personal data that they control from the EU to their affiliates which are situated outside of the EU.


It can be a legal body, an agency or an authority other than data subject, data controller, or data processor who is authorized to process personal data under the data controller.

Data Privacy Impact Assessment

It is an obligation imposed on data controllers and processors before undertaking data processing to do a privacy impact assessment for detecting any privacy risk.

Wrapping Up

Although the given above definitions are accurate to the date, changes are bound to happen. Thus, you need to take a look into this article on a frequent basis to stay updated on these changes.