Data protection definitions

The UK General Data Protection Regulation governs the processing of personal data.

The following terminology and definitions are used in the GDPR and related legislation, such as the Data Protection Act 2018.

You will often see this language in Terms and Conditions, Data Sharing Agreements,or contractual documentation with suppliers and third parties. 

Personal data

Defined in law as information relating to an identified or identifiable living natural person, where that individual can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Special category data

Data considered to be of a higher risk and requiring an additional legal basis to process. Includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  

Criminal convictions data

Personal data relating to criminal convictions and offences or related security measures.


‘Processing’ means any action that is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 

Data subject

The individual who is the subject of personal data e.g.,staff, students, customers. 

Data Controller

A Data Controller determines the purposes for which personal data are processed. The University is a registered Data Controller. 

Data Processor

A Data Processor is any individual or organisation who processes personal data on behalf of, and according to the purposes defined by, the data controller. 


A subprocessor is any organisation or individual who processes data on behalf of the processor. The processor is usually responsible for ensuring that these subprocessors give an equal level of data protection to controller’s data. 

Data Subject Rights

A data subject has a number of rights in regard totheir data, such as the right to access that data or the right to erase data no longer legally or contractually required. 

Data Protection Impact Assessment

A‘Data Protection Impact Assessment’(DPIA)is a document which explores the privacy risks around the processing of data. It is a legal requirement where any data processing is likely to result in a high risk to individuals and good practice for any project involving the processing of personal data.

Data breach

A data breach is an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. These need to be reported to the data protection officer as soon as possible. 

Data Protection Officer 

Every public authority requires a statutory Data Protection Officer to advise and monitor data protection compliance.


‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the person is not identified.


Means the processing of personal data in such a manner that it no longer becomes possible to link the data back to the individual and therefore ceases to be personal data and in the scope of GDPR.


Encryption recodes data in such a way that it is only accessible to those who are given the key to open the files. A common approach would be to use password protected files for storage and transfer or encrypted removable media such as a portable hard drive or USB stick. Encryption is increasingly seen as a minimum standard for safeguarding data. 

International transfers

Where data is transferred outside the UK, perhaps by a third party that has servers in a different country, the University needs to determine that there are safeguards around the data. 

Direct marketing

Direct Marketing is advertising or marketing material which is directed to particular individuals. This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations. There are specific rules around direct marketing the University needs to follow and can be found on the dedicated intranet page for this topic. 

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 872285