The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.

This glossary is included as a quick reference point for key data protection terms and abbreviations used in this code. It includes links to further reading and other resources which do not form part of this code, but may provide useful context and more detailed guidance.

ASA  The Advertising Standards Authority. See www.asa.org.uk 
CAP code The UK Code of Non-broadcast Advertising and Direct & Promotional Marketing. See: www.asa.org.uk/codes-and-rulings/advertising-codes/non-broadcast-code.html 
Child   A person under the age of 18 years, as defined in the UNCRC. 
Competent authority  A public authority listed in schedule 7 of the DPA 2018, or any other organisation or person with statutory law enforcement functions. For more information, see our separate Guide to Law Enforcement Processing
Consent  A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data. For more information, see our separate guidance on consent
Controller   The person (usually an organisation) who decides how and why to collect and use the data. For more information, see our separate guidance on controllers and processors
DPA 2018   The Data Protection Act 2018. For more information, see our separate introduction to data protection.
DPIA   Data protection impact assessment. For more information, see our separate guidance on DPIAs
GDPR   The General Data Protection Regulation (EU) 2016/679, as amended and incorporated into UK law. For more information, see our separate Guide to Data Protection. When the UK leaves the EU (or at the end of any agreed implementation period if we leave with a deal), you should read references to the GDPR in this code as references to the UK GDPR.
ISS  Information society service, as defined in Directive (EU) 2015/1535 and incorporated into the GDPR (any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient).
One-stop-shop   The one-stop-shop means you can generally deal with a single European supervisory authority taking action on behalf of the other European supervisory authorities. It avoids you having to deal with regulatory and enforcement action from every supervisory authority in every EEA and EU state where individuals are affected. For more information, see EDPB guidelines on the lead supervisory authority
PECR   The Privacy and Electronic Communications (EC Directive) Regulations 2003. For more information, see our separate Guide to PECR
PEGI   Pan European Game Information. For more information see www.pegi.info/ 
Processor A person (usually an organisation) who processes personal data on behalf of a controller. For more information, see our separate guidance on controllers and processors.
UK GDPR   The UK version of the GDPR, as amended and incorporated into UK law after the UK leaves the EU by the European Union (Withdrawal) Act 2018 and associated Exit Regulations. The government has published a Keeling Schedule for the UK GDPR which shows the planned amendments. 
UNCRC   The 1989 United Nations Convention on the Rights of the Child.