GDPR Jargon Explained

Data Controller

Means a person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

Data Processor

In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.


In relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.

Personal Data

Any reference to identifiers such as name, identification numbers, IP address and location.  Each person to which the personal data refers is known as the Data Subject.

Sensitive Personal Data

As above but this is a Special Category of personal data which refers to very specific personal data which could be harmful if it were to get into the wrong hands, not be on hand when needed or was not kept up-to-date.

Biometric and Genetic Data

Unique details about a person for example, finger prints.

Right to be Forgotten

Individuals will all have the right to erasure of personal data.

Data Protection Officer

A Data Protection Officer (DPO) is the person who is given formal responsibility for data protection compliance within an organisation.  As schools are deemed by the ICO to be a public authority, they must appoint a DPO.

Data Sharing Agreement

One of these must be in place for any organisation your school shares data with ie, suppliers.

Privacy Notice

This is the school's notice to explain to everyone how you handle information that you have access to.  Every school will need one on 25 May and it should be easily understood by parents and children.


This is a method by which personal data is processed so that it can no longer identify an individual subject without linking to additional data.

Encrypted Data

Data is converted into code in order to prevent unauthorised access.  It needs to be 'unlocked' to convert it back to make sense to the reader.  Personal data must be encrypted.

Data Breach

A data breach is a breach of security in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. For example, the loss of a USB stick, data being sent to the wrong address, the theft of a laptop or hacking.


The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest.  They are sometimes referred to as the UK Supervisory Authority.

Data Protection Impact Assessment (DPIA)

Sometimes referred to as part of a PIA (Privacy Impact Assessment).  A DPIA describes the nature, scope, context and purpose of the processing.  This document is written evidence that you have considered all the things that could potentially go wrong regarding aspects of personal data.

Privacy by Design

This is an approach where privacy and Data Protection compliance is built into systems holding information right from the start of the development process.

Subject Access Request (SAR)

As an organisation that holds personal data, you may well be asked to provide an individual with a report which details what, where, how and with whom you share their data.

Scroll to top