This glossary aims to provide a brief, user-friendly guide to words, acronyms and phrases used in relation to data protection and the UK GDPR.



Accountability Principle

This is the principle under the UK GDPR that a controller is responsible for its compliance with the data protection legislation and must be able to demonstrate that compliance (see Article 5(2) of the UK GDPR). This requires the controller to be able to evidence steps taken to comply with data protection laws, and informs some of the prescriptive regulations on documentation requirements under the UK GDPR.


The Addendum to the EU SCCs is one of two current standard data protection clauses in force in the UK for international transfers. It takes into account the “Schrems II” judgement of the European Court of Justice. Unlike the International Data Transfer Agreement, it is not a standalone agreement and is for use as an addendum to the EU SCCs. The Addendum, which is also referred to as the “UK Addendum”, incorporates and replaces references to EU laws in the EU SCCs by references to UK laws and allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK.

The Addendum can provide appropriate safeguards for restricted transfers of personal data when entered into as a binding contract. The Addendum may be particularly helpful for international companies subject to both the EU GDPR and UK GDPR, or where companies already have the EU SCCs in place.

Adequacy Regulations

UK adequacy regulations set out in law that the legal framework in a country, territory, sector, or international organisation has been assessed as providing ‘adequate’ protection for individuals’ rights and freedoms for their personal data. UK adequacy regulations are made in the UK by the Secretary of State and the Information Commissioner’s Office publishes a list of countries covered by adequacy regulations.

A transfer of personal data outside of the UK may take place in certain circumstances on the basis of adequacy regulations. Where adequacy regulations cover a particular county a transfer of personal data can be made from the UK to that country without having to put in place adequate safeguards.

Appropriate safeguards

Appropriate safeguards for transfer of personal data from the UK to a third country or an international organisation are listed in the UK GDPR as:

  • A legally binding and enforceable instrument between public authorities or bodies
  • Binding Corporate Rules
  • Standard data protection clauses
  • An approved code of conduct
  • Certification under an approved certification scheme
  • Contractual clauses authorised by the Information Commissioner’s Office
  • Administrative arrangements between public authorities or bodies

In the absence of a UK adequacy regulation for the recipient country or international organisation of an international transfer of personal data, you may make a restricted transfer if appropriate safeguards are in place and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46(1) of the GDPR).

A Transfer Risk Assessment should be carried out before relying on appropriate safeguards.

Anonymous data

Data that has been anonymised is not subject to the UK GDPR.

Anonymous data is data that has been stripped of sufficient elements so that the individual can no longer be identified, either directly or indirectly with other personal data the controller holds. Often organisations talk about anonymous data where the data is actually pseudonymised; that is, someone could use reasonably available means to re-identify the individual to which the data refers to.

If a controller has stripped data of the means of identifying an individual but still has the means of re-identifying those individuals (for example, by storing other data elsewhere), the data is likely to still be deemed personal data and subject to the UK GDPR. For data to be truly anonymous, there must be no chance, or only a very slight hypothetical possibility, that someone might be able to reconstruct the data in such a way that the individual is identified.

Binding corporate rules

Legally binding and enforceable internal rules or policies adhered to by UK based controllers or processors. You can make a restricted transfer within a multinational organisation if both you and the receiver have signed up to binding corporate rules approved by the Information Commissioner’s Office.

In practice, binding corporate rules are particularly relevant to multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.


Consent is a type of lawful basis for processing personal data. The UK GDPR sets a high standard for consent and requires the individual to have real choice and control.

Consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by clear affirmative action, signifies agreement to the processing of personal data.


The person or legal entity that determines how personal data is processed and for what purposes. They exercise overall control of the purpose and means of processing, and therefore have the highest level of compliance responsibility. A controller will usually decide what data to process and why, as well as having autonomy to choose how the personal data is processed. There can be more than one controller of the same personal data.

Detailed definitions are contained in Article 4(7) of the UK GDPR and Section 6 of the Data Protection Act 2018.

Criminal offence data

In the context of the data protection legislation, criminal offence data is any personal data relating to criminal convictions, offences or related security measures.

Broad definitions are contained in Article 10 of the UK GDPR and Section 11(2) of the Data Protection Act 2018 and there are specific restrictions on the processing of criminal offence data in the data protection legislation.

Data breach notification

Article 33 of the UK GDPR requires a controller to notify the Information Commissioner's Office of a personal data breach without undue delay and not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Personal data breaches can be reported by telephone or online using the report form on the Information Commissioner's Office website.

Data concerning health

Data concerning health can include a wide range of personal data relating to physical or mental health of an individual, including the provision of health care services, which reveal information about their health status (see Article 4 of the UK GDPR).

It is defined as a type of special category personal data, which is afforded added protection under the UK GDPR due to its potential sensitivity and risk to individuals’ fundamental rights.

Data Protection Act 1998

The UK legislation which applied to processing of personal data prior to the implementation of the EU GDPR on 25 May 2018.

Data Protection Act 2018

The UK legislation which replaced the Data Protection Act 1998 and sets out the framework for data protection law in the UK. It sits alongside and adds to the UK GDPR.

Data protection impact assessment

A data protection impact assessment (or DPIA) is a process to help you identify and minimise the data protection risks of a project.

Under Article 35 of the UK GDPR, data protection impact assessments are required prior to carrying out processing that is likely to result in a high risk to the rights and freedoms of data subjects. The UK GDPR sets out specific situations which are likely to result in high risk, and there is Information Commissioner's Office and European guidance to help consider what may be deemed high risk.

Even where the legislation does not require a data protection impact assessment, it is good practice to do a data protection impact assessment for any major new project involving the use of personal data as this can help minimise potential risks, build trust and demonstrate accountability.

Data protection legislation

The exact definition of data protection legislation within an agreement often depends on the context of the data processing, but it will usually include all applicable data protection and privacy legislation in force from time to time in the country in which the data is being processed. For international agreements, there are some circumstances in which both the UK GDPR and the EU GDPR may apply (see our page on what law applies), in which case the definition of data protection legislation will need to be amended accordingly.

Section 3 of the Data Protection Act 2018 also includes a definition of data protection legislation, as:

  • the UK GDPR
  • the Data Protection Act 2018
  • regulations made under the Data Protection Act 2018, and
  • regulations made under the Section 2(2) of the European Communities Act which relate to the EU GDPR or the Law Enforcement Directive

Data Protection Officer

A data protection officer (or DPO) is an individual employee or an individual with responsibilities for compliance with the data protection legislation. The UK GDPR requires some organisations to designate a data protection officer (depending on the nature of the organisation or type of processing) and also sets out tasks that must be included as part of the data protection officer’s role.

Data protection principles

Article 5 of the UK GDPR sets out seven principles which apply to personal data and are fundamental to the data protection legislation:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

The principles inform the more detailed requirements of the UK GDPR. They also have practical implications for general data protection compliance and can provide a framework to structure data protection audits and data protection impact assessments

Data Subject

An individual who can be identified from the personal data (see section 3 Data Protection Act 2018). Data subjects must be living. Anyone whose personal data is used by someone subject to whom the UK GDPR applies is a data subject; they are the subject of the data. 


The General Data Protection Regulation ((EU) 2016/679), which is European Union legislation directly effective in EU Member States.

Filing system

In the context of data protection, Article 4 of the UK GDPR and Section 3 of the Data Protection Act 2018 define a filing system as "any structured set of personal data which are accessible according to specific criteria".  This includes manual information in a filing system.

Article 2 of the UK GDPR explains that the UK GDPR applies to the processing of personal data wholly or partly by automated means (ie, in electronic form) and to the processing of personal data other than by automated means where that personal data forms part of a filing system or are intended to form part of a filing system.

International Data Transfer Agreement

The International Data Transfer Agreement is one of two current standard data protection clauses in force in the UK for international transfers. It takes into account the “Schrems II” judgement of the European Court of Justice. It is a standalone agreement intended to be used for UK transfers to third countries without having to also enter into the new EU SCCs (unlike the Addendum to the EU SCCs also issued by the Information Commissioner's Office).

The International Data Transfer Agreement can provide appropriate safeguards for restricted transfers of personal data when entered into as a binding contract.

Information Commissioner’s Office

The Information Commissioner’s Office is the regulator for data protection and information rights law in the UK.  As part of its function, the Information Commissioner’s Office publishes guidance on various aspects of data protection law. 

International organisation

An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or based on, an agreement between two or more countries.

Under the UK GDPR, personal data can only be transferred to international organisations in compliance with the conditions for cross-border data transfers set out in Chapter V (Articles 44- 50) of the UK GDPR.

Joint controller

Joint controllers together determine the purposes and means of processing personal data and are both responsible for compliance with obligations under the data protection legislation. Joint controllers must have a transparent arrangement in place that sets out agreed roles and responsibilities for complying with the UK GDPR.

Each joint controller will be liable to a data subject for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage.

Lawful basis for processing

For the processing of personal data to be lawful, a controller must identify which of the lawful bases of processing are engaged. The lawful bases are set out in Article 6 of the UK GDPR for personal data:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

The lawful basis for your processing can affect which rights are available to individuals. Articles 13 and 14 also require you to provide people with information about your lawful basis for processing.

Processing special category data requires both a lawful basis and a special category condition under Article 9 of the UK GDPR.

Personal data

Personal data is information which relates to a person who can be identified, or who is identifiable directly from the information in question; or indirectly:

  • from the information in question, or
  • from that information in combination with other information

A full definition of personal data is contained in Article 4 of the UK GDPR and Section 3 of the Data Protection Act 2018.

Pseudonymisation can be a useful security measure for reducing risks although data still remains personal data, whereas truly anonymised data is not subject to the UK GDPR.

Personal data breach

Article 4 of the UK GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

This broad definition includes both accidental and deliberate acts. It is not solely limited to the loss of personal data.

The UK GDPR requires organisations to take various steps following the detection of a personal data breach (such as notifying to the Information Commissioner’s Office and data subjects), depending on the circumstances of the breach.

Privacy Notice

Articles 13 and 14 of the UK GDPR set out information that controllers must provide to individuals when collecting personal data. Often, this information is provided in a document called a privacy notice.

What you need to tell people, and when you need to tell people by, partially depends on whether you collect personal data from the individual it relates to or obtain it from another source.


Processing personal data is effectively doing anything with it.

A full definition of processing is contained in Article 4 of the UK GDPR and Section 3 of the Data Protection Act 2018; it means any operation (or set of operations) that is performed on personal data or on sets of personal data, whether or not by automated means, such as:

  • collection
  • recording
  • organisation
  • structuring
  • storage
  • adaptation or alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • dissemination or otherwise making available
  • alignment or combination
  • restriction, erasure or destruction


A person or legal entity that processes personal data on behalf of a controller. Processors may make some non-essential decisions on how data is processed but follow the overall instructions of the controller (unless otherwise required by law). Decisions that may be taken by a processor include things such as the security measures to protect the data, the IT systems used to collect or store the data and how to delete or dispose of the data.

Processors must enter into a contract with the relevant controller and have less autonomy than controllers in what they can do with the data.


Profiling is using automated processing of personal data to identify or analyse things about a person, often to make decisions about that person. 

Article 22 of the UK GDPR has additional protections for individuals if a controller is carrying out solely automated decision-making, including those based on profiling, that has legal or similarly significant effects on the individual.


A security measure that replaces or removes information in the data that identifies the individual (for example allocating codes or reference numbers instead of names). Data which has been pseudonymised cannot be attributed to an individual person without applying additional (securely held) information to the data.

Pseudonymisation is an effective way to reduce risks to individuals, but the relevant data set remains personal data within the scope of the UK GDPR.

Public authority and public body

The UK GDPR and the Data Protection Act 2018 contain provisions which apply only to public authorities and public bodies. 

Section 7(1) of the Data Protection Act 2018 defines these as the following (with certain exceptions) when they are performing a task carried out in the public interest or in the exercise of official authority:

  1. a public authority as defined by the Freedom of Information Act 2000
  2. a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), and
  3. an authority or body specified or described by the Secretary of State in regulations

Record of processing activities

Article 30 of the UK GDPR requires certain controllers to maintain a record of processing activities (or ROPA), which must contain certain prescribed information.

Organisations with 250 or more employees must document all their processing activities. There are exceptions for organisations with fewer than 250 employees.


A representative is a natural or legal person established in the United Kingdom who, authorised by the controller or processor in writing pursuant to Article 27, represents the controller or processor regarding their respective obligations (for example to the Information Commissioner’s Office and data subjects) under the UK GDPR.

A representative is required under the UK GDPR if you are a controller or processor that is located outside of the UK:

  • with no offices, branches or other establishments in the UK, but
  • you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK (meaning that the UK GDPR still applies)

Restricted Transfer

Restricted transfers relate to international transfers of personal data and are only permitted if the conditions set out in Chapter 5 of the UK GDPR are complied with. You make a restricted transfer under the UK GDPR if:

  • you transfer or send personal data (which is subject to the UK GDPR), or make it accessible, to a receiver which is located in a country outside the UK, and
  • the receiver is legally distinct from you as it is a separate company, organisation or individual. This includes transfers to another company within the same corporate group. The transfer restrictions only apply if you are sending personal data outside your company or organisation.

Special category and personal data

More stringent rules apply to special category personal data due to its sensitivity, which is defined in Article 9 of the UK GDPR as:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data revealing trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • data concerning health
  • data concerning a person’s sex life, and
  • data concerning a person’s sexual orientation

Standard data protection clauses

Also known as ‘standard contractual clauses’ and ‘SCCs’, these can be used as a form of appropriate safeguard under Article 46 of the UK GDPR when controllers and processors need to make restricted transfers to third countries or international organisations. They may be required if there are no UK ‘adequacy regulations’ in place for the recipient country.

In the UK, the current standard data protection clauses are the International Data Transfer Agreement and an Addendum to the European Commission SCCs.

Other steps may be required before using standard data protection clauses, such as completing a Transfer Risk Assessment.

Subject Access Request

A request made by a data subject to exercise their right to know what personal data an organisation holds about them under the UK GDPR. An organisation will usually have a month to respond to the request and must normally inform the data subject whether or not they process your personal information and, if they do, provide copies of it. Other information will also normally be required, although there are certain exceptions to the right where the request is manifestly unfounded or excessive.

Third country

For the purposes of the UK GDPR, this means a country or territory outside the United Kingdom (Section 33 Data Protection Act 2018).

Transfer Risk Assessment (TRA)

Following the Schrems II judgement, before you may rely on an Article 46 UK GDPR transfer tool to make an international data transfer (such as the International Data Transfer Agreement and Addendum), you must carry out a risk assessment.

A transfer risk assessment assesses whether for the restricted transfer, taking into account all the circumstances of that restricted transfer, the appropriate safeguards (eg, International Data Transfer Agreement or Addendum) provide protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK.

One element of a transfer risk assessment is to assess whether the relevant local laws and practices in the recipient country include safeguards which are sufficiently similar in their objectives to the principles which underpin UK laws regarding the protection of data subjects (eg, on third party access and surveillance).


The UK GDPR is defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018. The UK GDPR, together with the Data Protection Act 2018, is the key data protection legislation in the UK and is based on and largely consistent with the EU GDPR.


back to top

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.