The GDPR Jargon Buster

28 May 2018

Lorraine Valentine cuts through some of the jargon associated with the EU General Data Protection Regulation (GDPR), which came into force last Friday, May 25th.

The General Data Protection Regulation (GDPR) has finally come into effect. It can be difficult to understand some of the confusing terminology referenced in the legislation. In this article, we have put together a useful GDPR jargon buster to help you understand some of the key language used.

Personal Data

The GDPR has a broader definition of what constitutes personal data. It is any information relating to an identified or identifiable natural person that can be used directly or indirectly to identify the person e.g. name, identification number, location data or online identifier.

Data Controller

A legal individual, public authority, agency or body that, alone or jointly with others, determines the purposes and methods of processing personal data.

Data Processor

 A legal individual, public authority, agency or body that, which processes personal data on behalf of the controller.


Any operation performed on personal data, whether or not by automated means, including collection, use, recording etc.


Informed, unambiguous, freely given, specific and explicit consent by statement or action from the data subject to have data relating to him/her processed.


This is a new principle under GDPR and means that organisations must have clear documentation and recording procedures in place to prove that your organisation meets the required standards.

Data Breach

A breach of security leading to the destruction, loss, alteration, unauthorised disclosure, of or access to, personal data.

Special Categories of Personal Data

Data concerning the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation of an individual.

Data Protection Officer

A representative for the data controller/data processor who oversees data protection compliance and is a data privacy expert. Under GDPR, not all organisations have a requirement to appoint a Data Protection Officer.

Data Subject

The data subject is the individual the personal data is in relation to

Supervisory Authority

The independent public authority who will be enforcing GDPR. In Ireland this will be the Data Protection Commissioner


A process to make personal data no longer attributable to a single data subject without the use of additional data. Additional data must be separate to ensure non-attribution.

Privacy by Design

The inclusion of data protection from the onset of designing of systems, rather than an addition/afterthought

Privacy Impact Assessment

A method of identifying and reducing privacy risks for individuals when undertaking new projects handling personal data.

Biometric Data

Data that enables the identification of a data subject. It can include behavioural and physical characteristics of that person e.g. facial image.

Encrypted data

The protection of personal data through technological measures to ensure that data is only accessible/readable by those with appropriate permission.


For further information please visit the Data Protection Commissioner’s website click here or the UK Information Commissioners office website click here

Join the Construction Industry Federation