The GDPR uses terminology that marketers may not be familiar with. In order to provide clarity, the DMA has translated these legal terms so that marketers, not just legal professionals can understand the language used.
Anonymous data: the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
Consent: According to the GDPR, consent, “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she. By statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller: the organisation or individual that determines how the personal data is processed.
Legitimate interest (LI): A legal ground that can be used to process personal data for direct marketing in certain circumstances. As well as providing the right of individuals to object to the processing of personal data based on LI. The GDPR sets our strict criteria for organisations that seek to rely on LI. These include establishing that the processing is necessary and that a balancing test has been conducted.
Personal data: Any information that can be used to identify a person is personal data. For example, names and email addresses are personal data because they reveal someone’s identity. The GDPR expands the definition of personal data to include IP addresses and online identifiers, like cookies.
Personal data breach: A breach of security that means authorised individuals or groups are able to access personal data. This could be the result of hacking by outside groups or because an employee made a mistake.
Data-protection-by-design: is a new concept introduced by the GDPR, whereby an organisation considers what impact a particular campaign or product may have on privacy from the very start. In a marketing context, this means identifying a campaign’s risk for privacy and/or data protection, recording them and taking appropriate steps to mitigate them., thinking about privacy from the start and nor as an afterthought.
Data-protection-by-default: Similar to Data-protection-by-design, this phrase refers to privacy setting on goods or service. For example, when a phone app goes to market it should have its privacy settings set to the highest level possible as the default setting. The user could then decide to lower the privacy settings if they so wished.
Processing: Any operation conducted on personal data, which may include collecting, recording, storing, structuring, organising, transmission or dissemination of personal data.
Processor: The organisation that only processes personal data according to the instruction of the data controller. For example, an email services organisation only processes personal data in line with what their client tells them and this means they’re a data processor.
Profiling: Any type of automated processing of personal data that evaluates the characteristics of someone in order to make a decision. Marketing segmentation or targeting is a type of profiling.
Pseudonymisation: A method of making personal data no longer attributable to an individual, without further information, meaning someone could not be identified from the data. It is a process that reduces the privacy risks for people as they can no longer be identified.
Special categories of personal data: Criteria of personal data that are subject to stricter requirements because of its sensitive nature. The GDPR lists the following as special categories of personal data: “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of generic data, biometric data for the purpose of uniquely identifying a natural persona, data concerning health or data concerning a natural person’s sexual orientation.”
Supervisory authority: An independent public authority responsible for enforcing the GDPR. The Information Commissioner’s Office (ICO) is the supervisory authority in the UK.
Third party: Any organisation or individual that is nor the data controller or processor that is authorised by either the controller or processor to process personal data. For example, if an organisation sold personal data to another organisation, the organisation purchasing the personal data would be classed as a third party.