Data Subject Request Cheatsheet: A Glossary for Data Privacy

As you navigate the complex world of data privacy, you may find yourself tangled in a web of legal jargon and technical terms. But fear not! This blog post is here to help you understand the key terms associated with Data Subject Access Requests (DSARs) and other data privacy concepts. Let’s dive in!

Data Subject

This term refers to the individual to whom the personal data you’ve collected belongs. In simpler terms, a “data subject” is the person whose data you’re handling.

DSAR or DSRR

These acronyms stand for “Data Subject Access Request” and “Data Subject Rights Request,” respectively. They refer to a person exercising their privacy rights with an organization. If you “receive a DSAR,” it means a person has requested access to the data you hold about them and may have asked you to do something with that data, such as delete it, correct it, or not use it in some way.

Controller

The “controller” is the organization that determines why and how personal data is processed. This might be your organization, if you’re collecting and using data to do things like personalize your marketing, improve your services, or hire new staff.

Processor

A “processor” is any person or group that processes data on behalf of the controller (excluding the employees of the controller). For example, if you use a cloud service to store or analyze the personal data you’ve collected, that cloud service is your processor.

Third Party

This term refers to any person, organization, or entity other than the data subject, controller, processor, and the people who are under the direct authority of the controller or processor.

Automated Decision-Making

This refers to decisions made about people by algorithms, AI, or machine learning without human involvement. It’s seen in various aspects of daily life, from credit checks and e-recruiting to e-commerce recommendations.

Profiling

Profiling involves processing personal data to assess or predict a person’s behavior, characteristics, and preferences. Companies often use this for targeted advertising, risk assessment, and fraud prevention.

Personal Information

Any information relating to an identified or identifiable person (the data subject). This not only includes obvious information like names and contact details but also things like IP addresses, cookie identifiers, and RFID tags if companies can use those to identify a person.

Sensitive Personal Information

This refers to categories of personal data that could reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health condition, sex life or sexual orientation, genetic data, and biometric data. This type of information is subject to stricter processing conditions.

Portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Data Breach

A data breach is a security incident in which unauthorized or illegal access, disclosure, copying, use, or deletion of personal data takes place.

Data Minimization

The principle under which controllers should only collect, process, and store the personal data that is necessary to achieve their processing purposes is Data minimization.

Data Protection Officer

A data protection officer (DPO) is an individual appointed to ensure that an organization complies with the provisions of GDPR. They act as a point of contact for data subjects and the supervisory authority.

Privacy by Design

Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. The GDPR makes privacy by design a legal requirement, under the term ‘data protection by design and by default’.

Privacy Impact Assessment

A privacy impact assessment (PIA) is a tool that entities use to identify and reduce privacy risks. They must fully consider how a specific project or system will affect the privacy of the individuals involved, as the PIA forces them to do so.

Right to be Forgotten

The right to be forgotten, also known as the right to erasure, is a GDPR mandate that allows customers to request that an organization deletes all applicable data they have on the customer.

Subject Access Request

An individual, or someone acting on their behalf, makes a subject access request (SAR) under section 7 of the Data Protection Act 1998 (DPA) to ask for the information to which they are entitled.

Data Processing Agreement

The controller and the processor enter into a data processing agreement (DPA), a legally binding document, in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.

Data Protection Impact Assessment

Organizations use a data protection impact assessment (DPIA) as a process to systematically analyze, identify, and minimize the data protection risks of a project or plan.

Data Protection Authority

The national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.

Consent

In the context of personal data, consent is a person’s agreement for processing of their personal data.

Data Controller

The entity that determines the purposes, conditions and means of the processing of personal data

Data Processor

The entity that processes data on behalf of the Data Controller

Data Protection Principles

The principles set out in the GDPR that should be followed when collecting, processing and storing individuals’ personal data.

Data Subject

The identified or identifiable living individual to whom personal data relates.

Fair Processing Notice

A notice to the data subject which identifies the data controller, describes how the controller will use the data and provides any other information necessary to ensure that the processing is fair.

Personal Data

Any information that relates to a living individual falls into this category if someone can identify the individual from that data. You can also identify the individual by combining that data with other information.

Processing

Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Recipient

A natural or legal person, public authority, agency, or any other body could receive the disclosure of the personal data.

Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Third Party

This category includes a natural or legal person, public authority, agency, or body, other than the data subject, controller, processor, and the people who have authorization to process personal data under the direct authority of the controller or processor.