GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive and the UK Data Protection Act of 1998. The goal of GDPR is to give EU citizens more control over their personal data, a need for stronger fines for non-compliance and more control over companies and their use of personal data.
“Personal Data” refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processing” is a set of operations performed on sets of personal data, whether or not by automated means, such as collection, organization, structuring, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Restriction of Processing” is the marking of stored personal data with the aim of limiting their processing in the future.
“Sensitive Data” is a special category of personal data (including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health) to which additional protections apply.
“Data Controller” is the competent authority which, alone or together with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by the Union or the Member State law.
“Data Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
What’s the difference between a controller and a processor?
An organization working with personal data will operate either as a controller or a processor.
A “controller” is the organization that determines the purposes and means of the processing of personal data. If the controller processes the data itself, it will still be considered a controller. For instance, online retailers will fall under this category (as will the majority of businesses).
A “processor” is someone outside the controller organization processing the data on behalf of the controller. Examples of typical processor companies include payroll companies, accountants, market research firms and most cloud providers.