Key GDPR definitions

  • GDPR: The General Data Protection Regulation (2016/679) is the new EU Regulation on Data Protection, which will come into force on the 25th May 2018.
  • Personal Data: Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.
  • Processing: means performing any operation or set of operations on personal data, including: a. obtaining, recording or keeping data; b. organising or altering the data; c. retrieving, consulting or using the data; d. disclosing the data to a third party (including publication); and e. erasing or destroying the data.
  • Data Controller: A Data Controller is the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed.
  • Data Processor: A person or organisation that processes personal data on the behalf of a data controller.
  • Data subject: A Data subject is the individual the personal data relates to.
  • Data Protection Impact Assessment (DPIA): A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and minimisation of these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance, including ongoing compliance, with the GDPR. (More guidance about conducting DPIAs can be found on
  • Lawful basis for processing personal data: In order to process personal data you must have a lawful basis to do so. The lawful grounds for processing personal data are set out in Article 6 of the GDPR. These are: the consent of the individual; performance of a contract; compliance with a legal obligation; necessary to protect the vital interests of a person; necessary for the performance of a task carried out in the public interest; or in the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).
  • Retention Policy: How long will your organisation hold an individual’s personal data? This will be influenced by a number of factors. There may be legal requirements on your organisation, depending on your business type (e.g. medical council rules). Keep the data for the least amount of time that you can in accordance with the requirements of your business, store it securely while it is in your possession and make sure to delete it fully and safely at the appointed time.
  • Special Categories (sensitive) of personal data: This is defined in Article 9(1) of the GDPR as data ‘which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
  • Consent: Article 7 of the GDPR has altered the conditions needed for consent as a legal basis for data processing to be valid. It is now necessary to consider whether consent was freely given and the data subject must have the opportunity to withdraw consent for processing at any time. Consent should not be assumed and must be obtained before data processing begins (e.g. through Privacy Notices). When processing the data of children in the context of online services, it is necessary to ensure that their age is verified and the consent of a legal guardian must be obtained. In Ireland, the Government is proposing that the age of digital consent, below which parental consent will be necessary, will be thirteen.