A guide to data protection jargon

15 March 2022

Veritau’s guide to data protection jargon

The world of data protection can involve a lot of technical terms, acronyms and jargon. It sometimes feels like a different language!

Our data protection experts have put together a handy guide to data protection jargon. From anonymisation to UK GDPR – what does it all mean?


The process of removing/changing data so that it no longer directly or indirectly identifies individuals.


A place where inactive or historical materials and/or records are deposited. Archives are used when the records must be retained for extended periods, to comply with legal requirements.

Another use of an archive is when you want to create and preserve an organisational memory of a history. For example a school’s records (including pupils and staff) could be archived to contribute to local history.

Audit log

A record of events and changes on an IT system. By reviewing the audit log (or audit trail) you should be able to find out who has accessed or changed a record, and when.

Back up

A copy of important data that is stored in a different location to the main server, so the data can be recovered if it’s deleted, damaged or corrupted in some way.

Cloud storage

A service which allows you to save and store files securely online. Documents can then be easily shared and accessed from different locations.


Small text files that are placed on a user’s computer by websites they visit. Some are necessary and required for the website to function. Others are non-essential (eg marketing / analytical) and designed to provide information to the owners of the site.

Consent is required for non-essential cookies and this should be sought from the user in the form of a functional cookie request banner.

Cyber security

Security measures which help reduce the risk of a cyber attack. All devices should be protected (such as smartphones, laptops, tablets and computers) from theft or damage. Unauthorised access to the personal information stored on these devices needs to be prevented, including in online locations (eg the cloud).

Data breach

Also called an ‘information security incident’. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Breaches can be accidental or deliberate.

Related article: What to do if you send an email to the wrong person

Data controller

An organisation which processes personal data for its own purposes and makes decisions about that data. This would include schools, local authorities, the NHS, and so on.

Data processor

An organisation which processes personal data on behalf of a data controller and only under the controller’s instructions (for example, Microsoft Teams).

Data Protection Act 2018 (DPA)

A UK law which complements the UK GDPR. The DPA 2018 includes UK-specific details for certain matters, eg the processing of criminal conviction information.

Data Protection Impact Assessment (DPIA)

A risk assessment tool, which can be used when doing something new or different with personal data. It ensures that all privacy and data protection risks have been identified and mitigations taken where possible. For high-risk processing activities, a DPIA is mandatory.

Data Protection Officer (DPO)

The DPO is the designated person or company responsible for advising the organisation about their data protection obligations and monitoring compliance with legislation.

Veritau acts as DPO for nearly 600 public sector organisations – find out more about our service

Data sharing / information sharing agreement

This is a formal agreement between two or more data controllers, who make their own decisions on the processing of the data. It is not mandatory but is considered best practice.

The agreement lays out what information will be shared, for what purposes, and the agreed details around storage, retention, destruction etc. Please note, this differs from a data processing contract, which is with a data processor.

Data subject

An identified or identifiable living individual, to whom personal data relates – ie the person the data is about. See personal data

Destruction log

A record of when and how electronic and hard copies of documents have been destroyed or deleted.

Environmental Information Regulations (EIR)

EIR is similar in nature to the FOI Act. It allows members of the public to access environmental information from a range of organisations.

An example would be a request about energy use by your organisation. EIR has similar exemptions (called exceptions under EIR) and timescales to FOI.

Freedom of Information (FOI)

The Freedom of Information Act 2000 allows any individual to make a request (FOI request) to an organisation for recorded information. Applicants need to provide their name, contact details and enough information to understand the request.

General Data Protection Regulation (GDPR)

This is a piece of EU legislation on data protection and privacy that became enforceable in May 2018 across the EU. GDPR provides rules for most data protection situations and allows EU member states to make their own choices about certain limited matters.

When the UK left the EU, GDPR was incorporated in to UK law as ‘UK GDPR‘.

Information asset

A body of information which is defined and managed as a single unit so that it can be understood, shared, and protected efficiently. For example this may include HR files, CCTV recordings, etc.

Information Asset Owner (IAO)

A senior member of staff who is responsible for an information asset, understands the value of that information and the risks associated with it.

Information Asset Register (IAR)

A register of all the organisation’s information assets. This helps compliance with Article 30 of UK GDPR, which requires organisations to maintain a record of their processing activities. Each entry covers areas such as processing purposes, data sharing and retention.

Information Commissioner’s Office (ICO)

The independent public authority which enforces data protection legislation in the UK. The ICO has a range of powers including issuing fines and instigating prosecutions for non-compliance.

Information security

Processes, measures and tools designed to protect confidential, private and sensitive information from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption. This could be in print, electronic, or any other form.

Lawful basis

When processing personal data, you must have a valid lawful basis to rely on. Several lawful bases are available and it will depend on the situation.

The lawful basis for processing must be identified:


This comes from the term ‘malicious software’. Malware includes viruses, trojans, worms or any code or content that can damage computer systems, networks or devices. It can also include ransomware, which is when payment is demanded to release the locked data or system.

Personal data

Information that relates to an individual (the ‘data subject’). That individual must be identified or identifiable either directly or indirectly.

UK GDPR defines personal data as:

“Any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person”.


A type of cyber attack designed to trick the victim in to revealing information to the attacker or to place malware onto the victim’s computer. This often takes the form of an email seemingly from a reputable source, but can also be done via social media, text or phone call.

Read more cyber security articles from Veritau

Privacy notice

When processing personal data, you must tell people what you are doing with it. They have the right to know why you need it, what you are doing with it and who you are going to share it with. This is known as transparency.

Data subjects must also be provided with information on their rights and who to contact to exercise these or complain. The information is provided to them using a document called a privacy notice.


Amending a dataset so that personal data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately.

Retention schedule

A records management tool that lists the information types held, and defines how long information should be kept for.

Senior Information Risk Owner (SIRO)

The person in an organisation who takes overall responsibility for information risk within the organisation.

Special category data

Sensitive personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic or biometric data used to uniquely identify individuals
  • health
  • sex life or sexual orientation

Special category data is subject to extra protections in data protection law. Personal data relating to criminal convictions and offences are not included as special category data, but similar safeguards apply to this too.

Subject Access Request (SAR)

Any individual has the right to make a request to an organisation for a copy of the personal data that the organisation holds about them. This is called a Subject Access Request or ‘SAR’. The response must be provided within one calendar month.

UK General Data Protection Regulation (UK GDPR)

Since the UK has left the EU, the UK has adopted its own version of the GDPR. In most respects, it is the same as the GDPR.

Still a bit confused?

Veritau provides data protection services to over 500 clients across the UK, including schools, councils, national sporting bodies and more.

We can act as your DPO, work with your existing DPO, or provide a consultancy-based service. Get in touch with our team of experts