This is a glossary of key data protection terms that has been written to help sole traders, small- to medium-sized enterprises (SMEs), and other small organisations understand and comply with data protection.
You’ll find it helpful when you’re reading our other guidance and tools for SMEs.
- Personal data
- Data subject
- Data controller
- Data processor
- Personal data breach
- Lawful basis
- Individual rights
Personal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as a data subject.
Data protection law is all about protecting personal data. SMEs are likely to be handling items containing personal data or otherwise processing personal data, such as:
- people’s names and addresses;
- customer reference numbers;
- medical information;
- school reports; and
- customer reviews.
If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s personal data. This applies even if the information doesn’t include a person’s name.
For a more detailed explanation of personal data, please see our Guide to the GDPR.
A data subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if it’s about a person, then they’re the data subject. They’re the ‘subject’ of the data. However, the term only relates to people who are alive. Data protection law doesn’t apply after someone has died.
Often when you hear the term ‘data subjects’, this will mean your customers, employees, volunteers and service users. Anyone else whose personal data you use will be a data subject, too.
Processing means taking any action with someone’s personal data. This begins when a data controller starts making a record of information about someone, and continues until you no longer need the information and it’s been securely destroyed. If you hold information on someone, it counts as processing even if you don’t do anything else with it.
Other types of data processing include actions such as organising and restructuring the way you save the data, making changes to it eg updating someone’s address or record, and sharing it or passing it on to others.
A data controller has the responsibility of deciding how personal data is processed and protecting it from harm.
Controllers aren’t usually individual people. They can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.
Wherever personal data is used for purposes other than personal or household processing, the organisation behind it is a controller. Personal or household processing means the personal data you’d usually have in your home, such as family photo albums, friends’ addresses and notes on the fridge, none of which would be covered by data protection laws unless there was another connection to a professional or commercial activity.
Controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller.
For more information about controllers and their responsibilities, please see our main Guide to the GDPR.
In a similar way to data controllers, data processors have to protect people’s personal data – but they only process it in the first place on behalf of the controller. They wouldn’t have any reason to have the data if the controller hadn’t asked them to do something with it.
For example, data processors could be IT support companies, payroll providers or another service where personal data is used.
If any personal data that you’re responsible for has been lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach.
The scope of the breach and how you handle it could have serious consequences for the people who are identifiable in the data. In some cases, personal data breaches – once discovered – have to be reported to the ICO within 72 hours.
A lawful basis is the reason or legal grounds you can rely on for using people’s personal data. There are six bases to choose from:
- legal obligation;
- vital interests;
- public task; and
- legitimate interests.
There’s no single lawful basis that’s better or more lawful than any of the others. It’s up to the company, organisation or sole trader responsible to choose which is most appropriate for what they’re doing with data.
In data protection law, people have rights over their data. These generally allow them to ask you to do something, or stop doing something, with their personal data.
There are eight individual rights. If you’re handling people’s personal data, you’ll have to comply with these rights whenever they’re used, unless it’s an exceptional situation.
As a small business or SME, the three main rights you’re likely to come across are the right of access, the right to object and the right to be informed:
- The right of access is when someone asks you for a copy of the data you have on them. This is also known as a subject access request - or SAR – and you have one month to deal with a SAR.
- The right to object means people can object to specific processing of their personal data, so you’d have to stop using their data for certain purposes unless you have a good reason to continue. For example, if a customer objects to you using their details to send them postal marketing, you could suppress or flag their details so you know not to post them marketing material again.
- The right to be informed usually means that you have to tell people that you have their data and what you’re doing with it.
You also need to know about the other five rights:
- The right to rectification means people can ask you to correct their data if it isn’t accurate.
- The right to erasure is when someone asks you to delete their data. It is also known as the ‘right to be forgotten’ and means that in certain specific situations, you may have to delete their data upon request. For example, if you collected someone’s personal data and it’s now no longer valid for the reason you collected it, they could ask you to delete it.
- The right to restrict processing means that you have to temporarily stop processing someone’s data if they ask you to. You can store their data, but not use it. This isn’t an absolute right and only applies in certain circumstances.
- The right to data portability gives people more control over their data where it’s held electronically if it's personal data they've supplied themselves. It’s intended to make it easy for them to provide it to another data controller if they need to. The data you hold about them electronically has to be made easily accessible and transferable. Also, if requested, you have to provide it to them or to another organisation on their behalf. However, this right only applies when the controller is relying on ‘consent’ or ‘performance of a contract’, and when they’re processing the data by automated means.
For example, Peter wants to switch electricity suppliers. At his request, his current energy company should provide his new energy supplier with the details he gave them when he joined them and any details about his energy usage gathered from his smart meter, if this is what Peter wants to do.
- Rights in relation to automated decision making and profiling. If personal data is processed entirely by automatic means and this might have a legal or similarly significant effect on the person, they can request some human involvement in the processing.
Contact us if you’re unsure what you should do.
This stands for General Data Protection Regulation (GDPR), the EU’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).
The transition period for leaving the EU ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the DPA 2018, with technical amendments to ensure it can function in UK law.
If you have or use information about people, also known as processing, you may have to register with the ICO and pay a fee.
Data protection fees are a legal obligation and the amount payable varies depending on the size of your organisation and what personal data you’re processing. For most small businesses, it’s £40 or £60 a year.
If you need to pay – and don’t – you could be fined. Find out more about the data protection fee.
About the ICO
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights, covering laws including the Data Protection Act 2018, Freedom of Information and Privacy and Electronic Communications Regulations.
We also help companies, businesses and organisations of any type or size to understand and comply with these laws.
Our SME hub is full of simple guides, toolkits and other bite-sized resources for small businesses, sole traders, SMEs and other small organisations.