Data protection principles, definitions, and key terms

This is a glossary of key data protection terms that has been written to help sole traders, small- to medium-sized enterprises (SMEs), and other small organisations understand and comply with data protection.

Personal data
Data subject
Processing
Data controller
Data processor
Personal data breach
Lawful basis
Individual rights
GDPR
Registration
The seven principles of data protection
The 'special categories’ of personal data
Are we a data controller, a data processor or a joint controller – and what’s the difference?

Personal data

Personal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as a data subject.

Data protection law is all about protecting personal data. SMEs are likely to be handling items containing personal data or otherwise processing personal data, such as:

people’s names and addresses;
photographs;
customer reference numbers;
medical information;
school reports; and
customer reviews.

If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s personal data. This applies even if the information doesn’t include a person’s name.

However, information is only personal data if it relates to someone who’s alive. Data protection laws don’t apply after someone has died.

For a more detailed explanation of personal data, please see our Guide to the UK GDPR.

Data subject

A data subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if it’s about a person, then they’re the data subject. They’re the ‘subject’ of the data. However, the term only relates to people who are alive. Data protection law doesn’t apply after someone has died.

Often when you hear the term ‘data subjects’, this will mean your customers, employees, volunteers and service users. Anyone else whose personal data you use will be a data subject, too.

Processing

Processing means taking any action with someone’s personal data. This begins when a data controller starts making a record of information about someone, and continues until you no longer need the information and it’s been securely destroyed. If you hold information on someone, it counts as processing even if you don’t do anything else with it.

Other types of data processing include actions such as organising and restructuring the way you save the data, making changes to it eg updating someone’s address or record, and sharing it or passing it on to others.

Data controller

A data controller has the responsibility of deciding how personal data is processed and protecting it from harm.

Controllers aren’t usually individual people. They can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.

Wherever personal data is used for purposes other than personal or household processing, the organisation behind it is a controller. Personal or household processing means the personal data you’d usually have in your home, such as family photo albums, friends’ addresses and notes on the fridge, none of which would be covered by data protection laws unless there was another connection to a professional or commercial activity.

Controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller.

Data processor

In a similar way to data controllers, data processors have to protect people’s personal data – but they only process it in the first place on behalf of the controller. They wouldn’t have any reason to have the data if the controller hadn’t asked them to do something with it.

For example, data processors could be IT support companies, payroll providers or another service where personal data is used.

Personal data breach

If any personal data that you’re responsible for has been lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach.

The scope of the breach and how you handle it could have serious consequences for the people who are identifiable in the data. In some cases, personal data breaches – once discovered – have to be reported to the ICO within 72 hours.

Lawful basis

Whenever you collect or use personal information, you must have a valid reason for doing so. This reason is known as a ‘lawful basis’.

There are six lawful bases:

consent;
contract;
legal obligation;
vital interests;
public task; and
legitimate interests.

None of the lawful bases are ‘better’ or more important than any of the others. You must identify the most appropriate one for what you’re doing with people’s information. You may have a different lawful basis for each of your different reasons or purposes.

Whichever lawful basis you choose, your collection and use of people’s information needs to be proportionate and necessary to achieve your specified purpose. You must be able to justify what you’re doing, and why.

Consent

Consent is appropriate when you can offer people real choice and control over how you use their information.

If you’re relying on consent, it must be:

freely given (and usually not as a precondition of a service);
specific and informed;
indicated by a positive action to opt-in (which means you can’t use pre-ticked boxes or other types of default consent);
separate from your other terms and conditions wherever possible;
easy for the person to withdraw at any time; and
kept under review and refreshed if anything changes.

Contract

This would be appropriate when you need to collect or use a person’s information to deliver a contractual service to them, or because they’ve asked you to do something before entering into a contract. For example, if a prospective client asks for a quote for your services, you’ll need to handle a certain amount of their information to provide this.

Legal Obligation

This would be the most appropriate lawful basis if you’re required to collect or use personal information in order to comply with the law. For example, there may be specific legislation in place that directs you to process personal information, like a requirement to report a serious accident at work under health and safety legislation.

Vital Interests

You can rely on vital interests if you need to use or share personal information to protect someone’s life. For example, giving relevant information to the ambulance crew who are helping someone who’s unconscious.

Public Task

This lawful basis is used by public authorities or organisations carrying out specific tasks in the public interest. This lawful basis may be appropriate if you work on behalf of a public authority.

Legitimate Interests

This is where using personal information is in the legitimate interests of yourself, an individual or a third party, and can include commercial interests or wider benefits for society. You must be able to justify this.

To rely on this lawful basis you must:

identify a legitimate interest;
show the collection and use of personal information is necessary to achieve this; and
balance your own or someone else’s interests against the person’s interests, rights and freedoms.

This lawful basis is likely to be most appropriate when you use personal information in ways that people would reasonably expect, and the privacy impact is minimal. For example, you hold contact details for an employee’s next of kin because it’s in your employee’s legitimate interest for you to let someone know if they are taken ill whilst at work.

There may also be times when you have a compelling justification for your use of someone’s information even though there’s a higher impact on that person. You can rely on legitimate interests here, but you must make sure you can demonstrate that any impact is justified.

There’s no single lawful basis that’s better or more lawful than any of the others. It’s up to the company, organisation or sole trader responsible (known as a "controller") to choose which is most appropriate for what they’re doing with data.

Individual rights

In data protection law, people have rights over their data. These generally allow them to ask you to do something, or stop doing something, with their personal data.

There are eight individual rights. If you’re handling people’s personal data, you’ll have to comply with these rights whenever they’re used, unless it’s an exceptional situation.

As a small business or SME, the three main rights you’re likely to come across are the right of access, the right to object and the right to be informed:

The right of access is when someone asks you for a copy of the data you have on them. This is also known as a subject access request - or SAR – and you have one month to deal with a SAR.
The right to object means people can object to specific processing of their personal data, so you’d have to stop using their data for certain purposes unless you have a good reason to continue. For example, if a customer objects to you using their details to send them postal marketing, you could suppress or flag their details so you know not to post them marketing material again.
The right to be informed usually means that you have to tell people that you have their data and what you’re doing with it.

You also need to know about the other five rights:

The right to rectification means people can ask you to correct their data if it isn’t accurate.
The right to erasure is when someone asks you to delete their data. It is also known as the ‘right to be forgotten’ and means that in certain specific situations, you may have to delete their data upon request. For example, if you collected someone’s personal data and it’s now no longer valid for the reason you collected it, they could ask you to delete it.
The right to restrict processing means that you have to temporarily stop processing someone’s data if they ask you to. You can store their data, but not use it. This isn’t an absolute right and only applies in certain circumstances.
The right to data portability gives people more control over their data where it’s held electronically if it's personal data they've supplied themselves. It’s intended to make it easy for them to provide it to another data controller if they need to. The data you hold about them electronically has to be made easily accessible and transferable. Also, if requested, you have to provide it to them or to another organisation on their behalf. However, this right only applies when the controller is relying on ‘consent’ or ‘performance of a contract’, and when they’re processing the data by automated means.

For example, Peter wants to switch electricity suppliers. At his request, his current energy company should provide his new energy supplier with the details he gave them when he joined them and any details about his energy usage gathered from his smart meter, if this is what Peter wants to do.

Rights in relation to automated decision making and profiling. If personal data is processed entirely by automatic means and this might have a legal or similarly significant effect on the person, they can request some human involvement in the processing.

GDPR

This stands for General Data Protection Regulation (GDPR), the EU’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).

The transition period for leaving the EU ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the DPA 2018, with technical amendments to ensure it can function in UK law.

Registration

If you have or use information about people, also known as processing, you may have to register with the ICO and pay a fee.

Data protection fees are a legal obligation and the amount payable varies depending on the size of your organisation and what personal data you’re processing. For most small businesses, it’s £52 or £78 a year.

If you need to pay – and don’t – you could be fined.

Also see:

What are the seven principles of data protection?

At its core, data protection has seven main principles. They are:

Lawfulness, fairness, and transparency – using personal data in a way that complies with the law, and in a way your customers and staff expect and have been told about.
Purpose limitation – only use personal data for the reasons you collected it, and not for something extra or unrelated.
Data minimisation – limit the amount of personal data you collect to what you need. If you only need basic contact details of your customers to run your accounts, don’t ask for more information.
Accuracy – the personal details in your records should be accurate and kept up to date.
Storage limitation – only keep personal data for as long as you need it. When you no longer need it, it should be securely destroyed or deleted.
Integrity and confidentiality (security) – personal data needs to be kept securely. You need to make sure that the details of your staff and customers is protected and that you can access those details.
Accountability – this underpins the other six principles. It’s about taking responsibility, having appropriate measure in place, and keeping records to demonstrate how you achieve data protection compliance. Company owners should hold themselves accountable for getting it right.

What are the ‘special categories’ of personal data?

In data protection law, ‘special category data’ means personal data that needs more protection because it’s sensitive. The special categories of personal data are:

personal data about racial or ethnic origin;
personal data about political opinions;
personal data about religious or philosophical beliefs;
personal data about trade union membership;
genetic data;
biometric data (where used for identification purposes) – this could be data such as fingerprints or retina scans;
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.

If you’re processing special category data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary. You should also take extra care to keep it safe.

Are we a data controller, a data processor, or a joint controller – and what’s the difference?

You’re a data controller if you’re the main decision-maker when it comes to how people’s personal information is handled, and how it’s kept safe. Controllers can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.

You’re a processor if you’re only acting on behalf of the instructions of a controller – if a business has hired you to process their mail, for example. As a processor, you wouldn’t be doing anything with the data if the controller hadn’t asked you to. It’s not up to you to decide what should happen to it, which means you’re only processing the information and not controlling it. However, you do have responsibilities to protect the personal data that you’ve been trusted with and to use it appropriately in-line with your contract with the controller.

The difference between controller and processor is important because someone ultimately needs to be responsible for making sure personal data is handled lawfully, fairly, and transparently, that people are protected from harm and that their information rights are upheld.

For example, Harry manages a chain of hair salons and he keeps a note of the names of his customers. It’s the customers’ personal data and they’re giving it to Harry so that he can provide them with a service. This information wouldn’t be kept in this way if Harry’s business didn’t exist, therefore Harry controls this information and – among other responsibilities – he’s ultimately responsible for making sure it’s accurate, accessible, and safe.

Harry’s business is considered the controller, not Harry personally. Harry is the only person responsible for everything to do with how his business is run, so the term ‘controller’ may not seem like it makes much difference on a practical level, but it does mean that Harry’s business continues to be the controller, even if Harry moves on or stops trading.

If Harry hires an IT services company to keep an electronic list of his appointments, the IT services company would be the processor for that data, and Harry is still the controller.

When it comes to joint controllers, this is a little less straightforward. But generally speaking, joint controllers decide together why and how personal data will be processed and will have the same or similar reasons for using the data. Controllers using the same data for different reasons aren’t usually joint controllers but this will depend on the circumstances.

If you’ve received a subject access request, you need to think about who's responsible for responding. Responsibilities are different depending on whether you’re a controller, processor or joint controller. Our step-by-step guide walks a controller through dealing with a request for information

If you’re unsure whether you’re the controller, the processor, or a joint controller in your situation, we’re here to help – please contact us.