GDPR - terms you must know

8th March 2018

Following our initial GDPR blog, in which we outlined 6 simples steps, there are a number of definitions you should familiarise yourself with. We've simplified things to give you a better understanding of what they mean and how they might be relevant to you.

Personal data

Personal data is any information that relates to an identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What it means?

This has been expanded since the DPA 1998. It means that personal data has a much wider spectrum, which includes things like IP addresses, geo-location and biometric data (finger prints, retina scans). Not only this, but it also considers things such as your physical appearance, your cultural or social identity and your genetic identity. In short, it means that anything that can be used to identify you, the natural person, could be classed as personal data. An example being a work e-mail address such as Some may say that they're not personal data, however, if they contain the name of the natural person and the company they work at, you can then directly identify that natural person.


"Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure b3y transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What it means?

It essentially means anything that is done with or to personal data. If you're holding the personal data in your systems, your processing it. If you're collecting personal data, you're processing it. It's a very broad term that can potentially include anything and everything about using personal data.


"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.

What it means?

Controllers are the companies or other body sets out what will be done with the data. For example, your clients give their personal data to you and therefore you are the data controller. You determine what is going to be done with the data and how it will be processed.

Data Processor

"Processor" means a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller.

What it means?

These are the individuals that process the data on behalf of someone else. For example, you may use an external company for your payroll. Your employees have provided your company their personal data in order to receive their wage, and you use the data process, which processes the data as you instruct. Remember that data processors must only complete what the data controller instructs with the data. If you use data processors, it's a good idea to check that they're getting up to date with GDPR as you could both be at risk of fines and sanctions if the processor isn't meeting the GDPR requirements.


"The consent of the data subject" means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

What it means?

Consent is a big part of GDPR. The new definition wipes out previous ways of gaining consent such as pre-ticked boxes or negative opt-ins like "Tick here if you don't want to be part of our marketing list". Document your consent, keep a clear log of who, when and how your clients gave their consent and what it was they were consenting to. This will be covered in full in one of our later blog posts.

← Don't let GDPR catch you out - a 6 step guide

Data protection - Your 6-lawful basis for processing personal data →

Written by: Clemency Patman
Clemency is WhitesPay’s Compliance and Data Protection Officer. She joined the business in 2017, and as well as helping us adhere to a number of regulatory bodies, is responsible for compliance training across the company.

Share this article
Return to Blog listing

Keep up to date with our
currency & rate notifications