The GDPR uses terminology that many people find confusing. It also defines a number of roles and responsibilities and introduces some new roles. These are explained below:

Personal Data

Name, address, date of birth, doctor’s name and address etc.


Special Category Data

Includes sensitive information such as medical history, medical and dental records, ethnic origin, race, political opinions, religion, trade union membership, genetics, biometrics, health, sex and sexual orientation. It also includes criminal record checks.

Data Processing

Includes collecting the information about an individual, using it, storing it, securing it etc. GDPR applies to all businesses and organisations and to all personal data held about individuals.

Personal Privacy Rights

Under GDPR, all individuals who have personal data held about them have the following personal privacy rights:

  • Right to subject access
  • Right to have inaccuracies deleted
  • Right to have information erased
  • Right to object to direct marketing
  • Right to restrict the processing of their information, including automated decision-making
  • Right to data portability
Automated Decision Making

This includes all decisions made without human intervention e.g. email reminders to book an appointment or text or email reminders of appointments, direct marketing i.e. all decisions that are taken automatically.

Data Portability

The ability to take personal data elsewhere e.g. to healthcare provider or employer.

Legal Basis for Processing Data

There are six legal bases for processing personal data. You must be able to justify, articulate and document the legal basis on which you collect and process all personal data that you hold.

Data Protection Impact Assessment

A data protection impact assessment is the process of systematically considering the impact on privacy any project or initiative could have on the privacy of individuals.

Data Protection by Design and Default

Data protection by design and default means that everything you do or plan to do such as new projects and initiatives are always planned and executed with privacy in mind. Everything should be always ‘designed’ with privacy in mind and that is your ‘default’ position.

Data Protection Officer

A person designated or appointed to ensure the business complies with GDPR.