This is a glossary of key data protection terms that has been written to help sole traders, small- to medium-sized enterprises (SMEs), and other small organisations understand and comply with data protection.
You’ll find it helpful when you’re reading our other guidance and tools for SMEs.
- Personal data
- Data subject
- Data controller
- Data processor
- Personal data breach
- Lawful basis
- Individual rights
Personal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as a data subject.
Data protection law is all about protecting personal data. SMEs are likely to be handling items containing personal data or otherwise processing personal data, such as:
- people’s names and addresses;
- customer reference numbers;
- medical information;
- school reports; and
- customer reviews.
If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s personal data. This applies even if the information doesn’t include a person’s name.
However, information is only personal data if it relates to someone who’s alive. Data protection laws don’t apply after someone has died.
For a more detailed explanation of personal data, please see our Guide to the UK GDPR.
A data subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if it’s about a person, then they’re the data subject. They’re the ‘subject’ of the data. However, the term only relates to people who are alive. Data protection law doesn’t apply after someone has died.
Often when you hear the term ‘data subjects’, this will mean your customers, employees, volunteers and service users. Anyone else whose personal data you use will be a data subject, too.
Processing means taking any action with someone’s personal data. This begins when a data controller starts making a record of information about someone, and continues until you no longer need the information and it’s been securely destroyed. If you hold information on someone, it counts as processing even if you don’t do anything else with it.
Other types of data processing include actions such as organising and restructuring the way you save the data, making changes to it eg updating someone’s address or record, and sharing it or passing it on to others.
A data controller has the responsibility of deciding how personal data is processed and protecting it from harm.
Controllers aren’t usually individual people. They can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.
Wherever personal data is used for purposes other than personal or household processing, the organisation behind it is a controller. Personal or household processing means the personal data you’d usually have in your home, such as family photo albums, friends’ addresses and notes on the fridge, none of which would be covered by data protection laws unless there was another connection to a professional or commercial activity.
Controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller.
For more information about controllers and their responsibilities, please see our frequently asked questions.
In a similar way to data controllers, data processors have to protect people’s personal data – but they only process it in the first place on behalf of the controller. They wouldn’t have any reason to have the data if the controller hadn’t asked them to do something with it.
For example, data processors could be IT support companies, payroll providers or another service where personal data is used.
For more information about controllers and their responsibilities, please see our frequently asked questions.
If any personal data that you’re responsible for has been lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach.
The scope of the breach and how you handle it could have serious consequences for the people who are identifiable in the data. In some cases, personal data breaches – once discovered – have to be reported to the ICO within 72 hours.
Whenever you collect or use personal information, you must have a valid reason for doing so. This reason is known as a ‘lawful basis’.
There are six lawful bases:
- legal obligation;
- vital interests;
- public task; and
- legitimate interests.
None of the lawful bases are ‘better’ or more important than any of the others. You must identify the most appropriate one for what you’re doing with people’s information. You may have a different lawful basis for each of your different reasons or purposes.
Whichever lawful basis you choose, your collection and use of people’s information needs to be proportionate and necessary to achieve your specified purpose. You must be able to justify what you’re doing, and why.
Consent is appropriate when you can offer people real choice and control over how you use their information.
If you’re relying on consent, it must be:
- freely given (and usually not as a precondition of a service);
- specific and informed;
- indicated by a positive action to opt-in (which means you can’t use pre-ticked boxes or other types of default consent);
- separate from your other terms and conditions wherever possible;
- easy for the person to withdraw at any time; and
- kept under review and refreshed if anything changes.
This would be appropriate when you need to collect or use a person’s information to deliver a contractual service to them, or because they’ve asked you to do something before entering into a contract. For example, if a prospective client asks for a quote for your services, you’ll need to handle a certain amount of their information to provide this.
This would be the most appropriate lawful basis if you’re required to collect or use personal information in order to comply with the law. For example, there may be specific legislation in place that directs you to process personal information, like a requirement to report a serious accident at work under health and safety legislation.
You can rely on vital interests if you need to use or share personal information to protect someone’s life. For example, giving relevant information to the ambulance crew who are helping someone who’s unconscious.
This lawful basis is used by public authorities or organisations carrying out specific tasks in the public interest. This lawful basis may be appropriate if you work on behalf of a public authority.
This is where using personal information is in the legitimate interests of yourself, an individual or a third party, and can include commercial interests or wider benefits for society. You must be able to justify this.
To rely on this lawful basis you must:
- identify a legitimate interest;
- show the collection and use of personal information is necessary to achieve this; and
- balance your own or someone else’s interests against the person’s interests, rights and freedoms.
This lawful basis is likely to be most appropriate when you use personal information in ways that people would reasonably expect, and the privacy impact is minimal. For example, you hold contact details for an employee’s next of kin because it’s in your employee’s legitimate interest for you to let someone know if they are taken ill whilst at work.
There may also be times when you have a compelling justification for your use of someone’s information even though there’s a higher impact on that person. You can rely on legitimate interests here, but you must make sure you can demonstrate that any impact is justified.
There’s no single lawful basis that’s better or more lawful than any of the others. It’s up to the company, organisation or sole trader responsible (known as a "controller") to choose which is most appropriate for what they’re doing with data.
In data protection law, people have rights over their data. These generally allow them to ask you to do something, or stop doing something, with their personal data.
There are eight individual rights. If you’re handling people’s personal data, you’ll have to comply with these rights whenever they’re used, unless it’s an exceptional situation.
As a small business or SME, the three main rights you’re likely to come across are the right of access, the right to object and the right to be informed:
- The right of access is when someone asks you for a copy of the data you have on them. This is also known as a subject access request - or SAR – and you have one month to deal with a SAR.
- The right to object means people can object to specific processing of their personal data, so you’d have to stop using their data for certain purposes unless you have a good reason to continue. For example, if a customer objects to you using their details to send them postal marketing, you could suppress or flag their details so you know not to post them marketing material again.
- The right to be informed usually means that you have to tell people that you have their data and what you’re doing with it.
You also need to know about the other five rights:
- The right to rectification means people can ask you to correct their data if it isn’t accurate.
- The right to erasure is when someone asks you to delete their data. It is also known as the ‘right to be forgotten’ and means that in certain specific situations, you may have to delete their data upon request. For example, if you collected someone’s personal data and it’s now no longer valid for the reason you collected it, they could ask you to delete it.
- The right to restrict processing means that you have to temporarily stop processing someone’s data if they ask you to. You can store their data, but not use it. This isn’t an absolute right and only applies in certain circumstances.
- The right to data portability gives people more control over their data where it’s held electronically if it's personal data they've supplied themselves. It’s intended to make it easy for them to provide it to another data controller if they need to. The data you hold about them electronically has to be made easily accessible and transferable. Also, if requested, you have to provide it to them or to another organisation on their behalf. However, this right only applies when the controller is relying on ‘consent’ or ‘performance of a contract’, and when they’re processing the data by automated means.
For example, Peter wants to switch electricity suppliers. At his request, his current energy company should provide his new energy supplier with the details he gave them when he joined them and any details about his energy usage gathered from his smart meter, if this is what Peter wants to do.
- Rights in relation to automated decision making and profiling. If personal data is processed entirely by automatic means and this might have a legal or similarly significant effect on the person, they can request some human involvement in the processing.
Contact us if you’re unsure what you should do.
This stands for General Data Protection Regulation (GDPR), the EU’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).
The transition period for leaving the EU ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the DPA 2018, with technical amendments to ensure it can function in UK law.
If you have or use information about people, also known as processing, you may have to register with the ICO and pay a fee.
Data protection fees are a legal obligation and the amount payable varies depending on the size of your organisation and what personal data you’re processing. For most small businesses, it’s £40 or £60 a year.
If you need to pay – and don’t – you could be fined. Find out more about the data protection fee.
About the ICO
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights, covering laws including the Data Protection Act 2018, Freedom of Information and Privacy and Electronic Communications Regulations.
We also help companies, businesses and organisations of any type or size to understand and comply with these laws.
Our SME hub is full of simple guides, toolkits and other bite-sized resources for small businesses, sole traders, SMEs and other small organisations.
27 September 2022 - we have added information about how data protection laws apply to deceased persons.