GDPR Glossary
Plain-English definitions of key data protection terms and abbreviations.
Data protection is full of abbreviations and legal terms. This glossary explains the most important ones in plain English — no legal background required.
- Accountability
- The GDPR principle (Art. 5(2)) requiring controllers to be able to demonstrate compliance with all data protection principles — not just comply, but prove it.
- Consent
- One of the six lawful bases for processing (Art. 6(1)(a)). Must be freely given, specific, informed, and unambiguous. Withdrawal must be as easy as giving it.
- Controller
- The natural or legal person that determines the purposes and means of processing personal data (Art. 4(7)). Bears primary GDPR responsibility.
- Data Processing Agreement (DPA)
- A contract required under Art. 28 GDPR between a controller and any processor acting on its behalf. Sets out the processor's obligations and restrictions.
- Data Protection Impact Assessment (DPIA)
- A risk assessment required under Art. 35 GDPR before processing that is "likely to result in a high risk" to individuals' rights and freedoms.
- Data Protection Officer (DPO)
- A designated expert required under Art. 37 GDPR in certain organizations. Can be internal or external. Must have expert knowledge of data protection law and be independent.
- Data Subject
- The identified or identifiable natural person whose personal data is being processed (Art. 4(1)).
- GDPR
- General Data Protection Regulation — EU Regulation 2016/679, in force since 25 May 2018. The primary data protection law of the European Union.
- Information Security Officer (ISO)
- Responsible for operational information security management within an organization. Distinct from the DPO, though both roles may overlap.
- Legitimate Interest
- Lawful basis under Art. 6(1)(f) GDPR. Requires a three-part balancing test: the interest must be legitimate, necessary, and not overridden by the individual's rights.
- NIS2 Directive
- EU Directive on measures for a high common level of cybersecurity (2022/2555). Expands mandatory cybersecurity obligations to many more sectors than the original NIS Directive.
- Personal Data
- Any information relating to an identified or identifiable natural person (Art. 4(1)). Includes names, email addresses, IP addresses, location data, and more.
- Processor
- An entity that processes personal data on behalf of and under instruction from a controller (Art. 4(8)). Must operate under a Data Processing Agreement.
- Pseudonymization
- Processing personal data in such a way that it can no longer be attributed to a specific individual without additional information (Art. 4(5)). Reduces but does not eliminate GDPR obligations.
- Records of Processing Activities (RoPA)
- Documentation required under Art. 30 GDPR listing all processing activities, their purposes, legal bases, data categories, recipients, and retention periods.
- Special Category Data
- Particularly sensitive personal data (Art. 9 GDPR) including health data, biometric data, political opinions, religious beliefs, and sexual orientation. Subject to stricter processing requirements.
- Technical and Organizational Measures (TOMs)
- Security measures required under Art. 32 GDPR to protect personal data, including encryption, access controls, pseudonymization, backup procedures, and staff training.