GDPR Glossary: A Breakdown for Busy People
February 15, 2018 –
A key principle of GDPR: Present your data policies to users free of “legalese.”
SO WHY DID THEY GIVE US 200 PAGES OF BRAIN MELTING JARGON TO READ?
Going through the new General Data Protection Regulation is super important.
But it’s as fun as watching a golf tournament played back in slow motion.
So here’s a breakdown of what all these legal terms mean—written in sentences you won’t fall asleep halfway through.
Feel free to CTRL+F your way out of a headache.
Binding Corporate Rules (BCRs): Have personal data in the EU? Want to transfer it to folks in your multinational org. outside the EU? BCRs are your rules to follow.
Biometric Data: “Body data.” If it can identify you and has to do with physical, physiological, or behavioral traits—it’s this.
CONSENT: This is a big one. GETTING CONSENT TO USE SOMEONE’S PERSONAL DATA IS COMPLICATED NOW.
It’s gotta be:
- freely given
So…if you’re going to email someone, you have to have their consent to be emailed. Going to use a cookie? You need specific consent for that too.
And you can’t pre-check the “I consent to ____” box. They’ve gotta do that themselves.
People have understand how you’re using their data. They have to give you the OK to use it that way.
It’s a lot.
We wrote more about it here.
Data Concerning Health: What it sounds like (thank god).
Data Controller: If you’re a marketer, that’s probably you. It’s the anyone who asks for, collects, and uses personal data, in any way. If you process it, if you store it, if you determines how people’s data is going to be used—you’re a data controller. Congrats!
Data Erasure: AKA: “Right to be Forgotten.” This just means a data subject (human person) can choose to have any data you have on them erased. They say the word, and you’ve got to clear their data, stop using it, and stop disseminating (gross), in any way.
Data Portability: If someone comes to you and says “HEY, I want a copy of all the data you have on me”—you’ve gotta say “sure, here yah go.” And you’ve got to pass them a copy of that data in a format that they can easily pass on to someone else. (More info on that lives here)
Data Processor: Whatever you (the data controller) use to collect and process data. A lot of your marketing tools are data processors (think, analytics tools, A/B testing tools, plugins, and the like).
Data Protection Authority: The scary folks who are going to make sure you follow the rules. These are national authorities who are in charge of protecting data and privacy–and monitoring the enforcement of GDPR within the EU.
Data Protection Officer: Someone you should appoint to handle all this regulation madness if you’re a company bigger than 250 people (but to be honest, GDPR can’t really make up its mind on what that number should be). This is an expert on data privacy who will work with you independently and keep you in line with GDPR.
Data Subject: Human—who has data, that you have, see, or use.
Delegated Acts: Fun “bonus laws” that supplement existing ones, in order to provide more clarity or criteria. Expect a bunch of these from independent EU nations moving forward.
Derogation: Exceptions to laws!
Directive: This is the law that sets a “goal” for all the EU countries. Then each countries makes its own national laws to meet that goal.
Encrypted Data: More or less: you protect personal data by muddling it all up. Data encryption ensures that only people with specified access can access or read the data you’ve stored. As far as security measures go, it’s a very good idea.
Enterprise: Anything engaged in an economic activity—regardless of its “legal form.” So people, organizations, associations you name it. Anyone who makes or messes with money.
Filing System: GDPR applies in two places: to automated systems (storing stuff on the computer and in databases), or, for hard copies, in “relevant filing systems.” A filing system is “relevant” if it can be searched, or accessed by specific criteria—like name, ID number, telephone number, etc.)
So if you dump all your HR data into unmarked, unorganized boxes—you probably don’t have to worry about those for GDPR. You just should worry about them, for you know, every other reason.
Genetic Data: The EU official site defines this but, come on. You know what genetics are.
Group of Undertakings: There’s a lot of case law to sift through to understand what an “undertaking” is—but it more or less comes down to this: an undertaking is when one company has control over another company. And control, in this case, means the ability to exercise “decisive influence.”
Example: a parent has a majority shareholding in a subsidiary. It’s assumed they can exercise control. That’s an undertaking.
And a group of undertakings is a group of those.
Main Establishment: This more or less has to do with where supervision is applied. It’s the place within the union where the decisions surrounding data processing are made. Meaning—if you process your data in Germany, even if you’re based elsewhere, your “main establishment” is in Germany.
PERSONAL DATA: ANOTHER BIG ONE. Personal data is any information that relates to a person and can be used to identify them. This includes data that can indirectly identify them, or identify them when combined with other incoming data.
This is different than PII (personally identifiable information). And it’s a stricter definition than we’ve really seen before.
Here’s a full breakdown:
Personal Identifiable Data (PII)
Personal Data Breach: A big “oops.” This is anytime someone can accidentally, or unlawfully, access, destroy, or misuse the personal data you have stored. Under GDPR, you’re required to let all your data-subjects know about one of these within in 72 hours.
Privacy by Design: Stop procrastinating. When you build out a system that deals with data—an interface, a website, anything—you should be thinking about data protection BEFORE you even get started. It should be designed with data rights in mind. They should not be a last minute edition.
Privacy Impact Assessment: A thing you (along with your Data Protection Officer) should do! Basically, this is just auditing for potential privacy risks. It means taking a look at your personal data, how it’s processed, and what you’re doing right now to protect it.
Processing: ANYTHING you do with personal data—manually, or automatically. Collecting it, recording it, using it. Personal data so much as flashes across your screen, and it’s processed.
Profiling: If you automate personal data, and analyze it to predict someone (specific)’s behavior—that counts as profiling.
Pseudonymisation – You have personal data. You process it in a way where you can’t attribute it to a data subject anymore—at least, not without some other, separately held piece of information. The classic example is substituting identifiable data with a reversible, consistent value—like a string of random numbers—which can be later “unlocked,” and reattributed.
This is different than actually anonymized data: in which the identifiable piece of information is totally destroyed.
Which techniques “count” as pseudonymization under GDPR hasn’t quite been determined yet, and there’s a lot of gray area as to what sort of data counts as “likely to be identified,” or “reasonably likely” to be identified.
But there are some fancy, GDPR incentives for pseudonymizing your personal data. You can find those in Recital 29.
For example, when you collect your standard, regular ole personal data, you can only use it for reasons explicitly “okayed” by the data subject. But with pseudonymization, you have a bit more leeway on how you can process data—even if it’s for a different purposes than the one it was collected for originally.
Recipient – A person that personal data is disclosed to.
Regulation – Law, that is binding and applies across the entire EU.
Representative – If the folks overlooking GDPR compliance need to call on data controllers (ie. your company) to address concerns, they address your representatives. Representatives need to be in the Union and explicitly designated for the task.
Right to be Forgotten: See Data Erasure, above.
Right to Access / Subject Access Right: If you have someone’s personal data, they can ask for access to it. You have to be able to give it to them.
Supervisory Authority: Every EU member state will appoint a public authority to oversee GDPR compliance. That’s a supervisory authority (but you might also know of this as a DPA, or a Data Protection Authority).
Trilogues – After everyone’s read the first draft of proposed legislation, the European Commission, European Parliament, and Council of the EU meet informally to negotiate. Those meetings are called trilogues and are held so a compromise text can be adopted quickly.
BCRs: Binding Corporate Rules (see above)
CJEU: the Court of Justice of the European Union.
DPA: Data Protection Authority (See Supervisory Authority)
EDPB: European Data Protection Board
DEPS: European Data Protection Supervisor
EEA: European Economic Area (the 28 EU member states, plus Iceland, Liechtenstein, and Norway)
TFEU: Treaty on the Functioning of the European Union.
WP29: Working Party Article 29. It was an EU-level advisory board, made up of national DPAs. But the EDPB has more or less replaced it under GDPR.