GDPR Glossary: A Breakdown for Busy People

Mac Hasley
February 15, 2018 ·
GDPR Glossary: A Breakdown for Busy People

A key principle of GDPR: Present your data policies to users free of “legalese.”


Going through the new General Data Protection Regulation is super important.

But it’s as fun as watching a golf tournament played back in slow motion.

So here’s a breakdown of what all these legal terms mean—written in sentences you won’t fall asleep halfway through.

Feel free to CTRL+F your way out of a headache.


Binding Corporate Rules (BCRs): Have personal data in the EU? Want to transfer it to folks in your multinational org. outside the EU? BCRs are your rules to follow.

Biometric Data: “Body data.” If it can identify you and has to do with physical, physiological, or behavioral traits—it’s this.


It’s gotta be:

  • freely given
  • specific
  • affirmative
  • explicit

So…if you’re going to email someone, you have to have their consent to be emailed. Going to use a cookie? You need specific consent for that too.

You have ask for people’s consent independently. You can’t lump it together with the same checkbox as your privacy policy.

And you can’t pre-check the “I consent to ____” box. They’ve gotta do that themselves.

You can’t write your old-fashioned “This site uses cookies, by being here, you’re cool with that” disclaimer and expect it to fly.

People have understand how you’re using their data. They have to give you the OK to use it that way.

It’s a lot.

We wrote more about it here.

Data Concerning Health: What it sounds like (thank god).

Data Controller: If you’re a marketer, that’s probably you. It’s the anyone who asks for, collects, and uses personal data, in any way. If you process it, if you store it, if you determines how people’s data is going to be used—you’re a data controller. Congrats!

Data Erasure: AKA: “Right to be Forgotten.” This just means a data subject (human person) can choose to have any data you have on them erased. They say the word, and you’ve got to clear their data, stop using it, and stop disseminating (gross), in any way.

Data Portability: If someone comes to you and says “HEY, I want a copy of all the data you have on me”—you’ve gotta say “sure, here yah go.” And you’ve got to pass them a copy of that data in a format that they can easily pass on to someone else. (More info on that lives here)

Data Processor: Whatever you (the data controller) use to collect and process data. A lot of your marketing tools are data processors (think, analytics tools, A/B testing tools, plugins, and the like).

Data Protection Authority: The scary folks who are going to make sure you follow the rules. These are national authorities who are in charge of protecting data and privacy–and monitoring the enforcement of GDPR within the EU.

Data Protection Officer: Someone you should appoint to handle all this regulation madness if you’re a company bigger than 250 people (but to be honest, GDPR can’t really make up its mind on what that number should be). This is an expert on data privacy who will work with you independently and keep you in line with GDPR.

Data Subject: Human—who has data, that you have, see, or use.

Delegated Acts: Fun “bonus laws” that supplement existing ones, in order to provide more clarity or criteria. Expect a bunch of these from independent EU nations moving forward.

Derogation: Exceptions to laws!

Directive: This is the law that sets a “goal” for all the EU countries. Then each countries makes its own national laws to meet that goal.

Encrypted Data: More or less: you protect personal data by muddling it all up. Data encryption ensures that only people with specified access can access or read the data you’ve stored. As far as security measures go, it’s a very good idea.

Enterprise: Anything engaged in an economic activity—regardless of its “legal form.” So people, organizations, associations you name it. Anyone who makes or messes with money.

Filing System: GDPR applies in two places: to automated systems (storing stuff on the computer and in databases), or, for hard copies, in “relevant filing systems.” A filing system is “relevant” if it can be searched, or accessed by specific criteria—like name, ID number, telephone number, etc.)

So if you dump all your HR data into unmarked, unorganized boxes—you probably don’t have to worry about those for GDPR. You just should worry about them, for you know, every other reason.

Genetic Data: The EU official site defines this but, come on. You know what genetics are.

Group of Undertakings: There’s a lot of case law to sift through to understand what an “undertaking” is—but it more or less comes down to this: an undertaking is when one company has control over another company. And control, in this case, means the ability to exercise “decisive influence.”

Example: a parent has a majority shareholding in a subsidiary. It’s assumed they can exercise control. That’s an undertaking.

And a group of undertakings is a group of those.

Main Establishment: This more or less has to do with where supervision is applied. It’s the place within the union where the decisions surrounding data processing are made. Meaning—if you process your data in Germany, even if you’re based elsewhere, your “main establishment” is in Germany.

PERSONAL DATA: ANOTHER BIG ONE. Personal data is any information that relates to a person and can be used to identify them. This includes data that can indirectly identify them, or identify them when combined with other incoming data.

This is different than PII (personally identifiable information). And it’s a stricter definition than we’ve really seen before.

Here’s a full breakdown:

Personal Identifiable Data (PII)
Personal Data
  • Full name (if not common)
  • Home address
  • Email address
  • National identification number
  • Passport number
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle
  • Full name (if not common)
  • Home address
  • Email address
  • National identification number
  • Passport number
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle


  • IP-address
  • Unique identifiers like Device IDs, UserID, TransactionID, CookieID
  • Pseudonymous data (thats unrecognizable data + key on different spot to make it readable again)

Personal Data Breach: A big “oops.” This is anytime someone can accidentally, or unlawfully, access, destroy, or misuse the personal data you have stored. Under GDPR, you’re required to let all your data-subjects know about one of these within in 72 hours.

Privacy by Design: Stop procrastinating. When you build out a system that deals with data—an interface, a website, anything—you should be thinking about data protection BEFORE you even get started. It should be designed with data rights in mind. They should not be a last minute edition.

Privacy Impact Assessment: A thing you (along with your Data Protection Officer) should do! Basically, this is just auditing for potential privacy risks. It means taking a look at your personal data, how it’s processed, and what you’re doing right now to protect it.

Processing: ANYTHING you do with personal data—manually, or automatically. Collecting it, recording it, using it. Personal data so much as flashes across your screen, and it’s processed.

Profiling: If you automate personal data, and analyze it to predict someone (specific)’s behavior—that counts as profiling.

Pseudonymisation – You have personal data. You process it in a way where you can’t attribute it to a data subject anymore—at least, not without some other, separately held piece of information. The classic example is substituting identifiable data with a reversible, consistent value—like a string of random numbers—which can be later “unlocked,” and reattributed.

This is different than actually anonymized data: in which the identifiable piece of information is totally destroyed.

Which techniques “count” as pseudonymization under GDPR hasn’t quite been determined yet, and there’s a lot of gray area as to what sort of data counts as “likely to be identified,” or “reasonably likely” to be identified.

But there are some fancy, GDPR incentives for pseudonymizing your personal data. You can find those in Recital 29.

For example, when you collect your standard, regular ole personal data, you can only use it for reasons explicitly “okayed” by the data subject. But with pseudonymization, you have a bit more leeway on how you can process data—even if it’s for a different purposes than the one it was collected for originally.

Recipient – A person that personal data is disclosed to.

Regulation – Law, that is binding and applies across the entire EU.

Representative – If the folks overlooking GDPR compliance need to call on data controllers (ie. your company) to address concerns, they address your representatives. Representatives need to be in the Union and explicitly designated for the task.

Right to be Forgotten: See Data Erasure, above.

Right to Access / Subject Access Right: If you have someone’s personal data, they can ask for access to it. You have to be able to give it to them.

Supervisory Authority: Every EU member state will appoint a public authority to oversee GDPR compliance. That’s a supervisory authority (but you might also know of this as a DPA, or a Data Protection Authority).

Trilogues – After everyone’s read the first draft of proposed legislation, the European Commission, European Parliament, and Council of the EU meet informally to negotiate. Those meetings are called trilogues and are held so a compromise text can be adopted quickly.


BCRs: Binding Corporate Rules (see above)

CFR: The Charter of Fundamental Rights of the European Union

CJEU: the Court of Justice of the European Union.

DPA: Data Protection Authority (See Supervisory Authority)

DPO: Data Protection Officer

ECHR: European Convention on Human Rights.

EDPB: European Data Protection Board

DEPS: European Data Protection Supervisor

EEA: European Economic Area (the 28 EU member states, plus Iceland, Liechtenstein, and Norway)

TFEU: Treaty on the Functioning of the European Union.

WP29: Working Party Article 29. It was an EU-level advisory board, made up of national DPAs. But the EDPB has more or less replaced it under GDPR.

Privacy Vendor List
Privacy Vendor List
Originally published February 15, 2018 - Updated December 10, 2021
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Mac Hasley
Mac Hasley Mac is a content strategist at Convert, a copywriter across the webz, and an advocate for marketing that is humble and kind

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!