Glossary

Last updated: February 2024

• A
• B
• C
• D
• E
• F
• G
• H
• I
• J
• K
• L
• M
• N
• O
• P
• Q
• R
• S
• T
• U
• V
• W
• X
• Y
• Z

A

Aggregate/Aggregated (e.g. “aggregated data insights”): To aggregate means to combine into a single group or total, and present as a summary. “Aggregated data insights” therefore refers to a summary of information or insights relating to a set of data rather than a singular individual or characteristic.

Anonymise/Anonymisation: To anonymise means to irreversibly prevent identification of individuals within a data set. Organisations anonymise data to make it more secure and to help them comply with their data protection responsibilities.

B

Biometric Data: Biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”. Facial recognition, voice recognition and fingerprint data are all examples of biometric data.

C

CRAIN: The Credit Reference Agency Information Notice (CRAIN ) is the privacy notice produced jointly with Experian and TransUnion (the other key credit reference agencies (CRAs)) to explain how CRAs process personal data for core credit referencing activities. These activities often relate to personal data that has not been collected directly from the individual.

CRA:Credit reference agency. The three main CRAs in the UK are Equifax, Experian and TransUnion.

D

Data Controller: A person, partnership or company who determines how and why personal data is processed. A third party may carry out processing on the controller’s behalf, although the data controller remains responsible for the processing.

Data Processor: A person, partnership or company who processes personal data for a data controller, other than the controller’s employee. Outsourced IT and HR service providers may be processors.

DPA: Data protection authority, also known as a supervisory authority (SA) or regulator. In most countries, national data protection authorities (DPAs) have been established to ensure organisations meet their data protection obligations. In the UK, the DPA is the Information Commissioner’s Office (ICO).

Data Protection Act 2018 (DPA 2018): The DPA 2018 is a data protection law in the UK which should be followed alongside the UK GDPR.

DPO: The primary role of a Data Protection Officer is to ensure that the organisation processes personal data in line with the applicable data protection laws. Equifax’s DPO can be contacted via ukdpo@equifax.com

Data Subject: A living individual, of any nationality and age, who personal data relates to.

DSAR or Data Subject Access Request:This is a request made by (or on behalf of) an individual who wants to see a copy of the personal data an organisation holds about them and other supplementary information relating to this processing.

DSRs or Data Subject Rights: Data subjects have a number of rights under data protection laws including the right of access (commonly known as a data subject access request (DSAR)), the right to erasure and the right to object.

F

FCA: The Financial Conduct Authority, the financial regulatory body in the UK. The FCA regulates the financial services industry to ensure consumers are protected, financial markets work well, and there is effective and fair competition.

FPA: Fraud Prevention Agency, an organisation that collects, maintains and shares data on known and suspected fraudulent activity.

G

GDPR: General Data Protection Regulation, the EU data protection law. After Brexit, the GDPR was incorporated into UK law and is known as the UK GDPR

I

Information Commissioner’s Office (ICO): The DPA for the UK.

N

Natural Person: A term used to distinguish a real individual from a legal entity, such as a company.

P

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal Data: Data relating to a living individual who can be identified from that data, either alone or with other information the data controller has access to. There is not a set, specific, exclusive list of things that are personal data (like the lists that define PII in some US laws). Personal data includes opinions about, and intentions in relation to an individual.

Processing: Obtaining, recording, holding, or carrying out any operation on personal data. It includes organisation or alteration; retrieval or use; disclosure and anonymisation, blocking or destruction. Most use of personal data will constitute processing.

Profiling: Profiling is the automated processing of personal data to evaluate things about an individual, identify links between behaviours and characteristics and classify people into different groups or sectors, therefore creating profiles for individuals.

Pseudonymisation: Often confused with anonymisation but with pseudonymisation the individual can still be identified. Changing an employee’s name to an identification number instead and removing all of their other personal details is an example of pseudonymisation.

R

Right to Erasure: The right to erasure allows individuals to request that an organisation erases their personal data. This right is not an absolute right and only applies in certain circumstances.

Right to Object: The right to object gives individuals the right to object to the processing of their personal data. The right to object is only an absolute right when in relation to direct marketing.

S

SA or Supervisory Authority: Another name for a data protection authority (DPA) or regulator. In most countries, national supervisory authorities (SAs) have been established to ensure organisations meet their data protection obligations. In the UK, the SA is the Information Commissioner’s Office (ICO).

Segmentation: Segmentation is the process of dividing into segments, for example dividing individuals into groups based on similar behaviours or characteristics.

Special Categories of Personal Data: Special categories of personal data are more sensitive in nature and therefore require higher levels of protection. Special category personal data includes:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
• data concerning health; and
• data concerning a natural person’s sex life or sexual orientation.

Suppression: Suppression refers to the process of ensuring an individual’s personal data is not used for direct marketing purposes. A suppression file or list will store information relating to individuals who, depending on the circumstances, should not be sent direct marketing, e.g. individuals who have moved address or those who have opted-out of receiving direct marketing.

T

Technical and Organisational Measures (TOMs): Data protection laws say that organisations must implement appropriate technical and organisational measures to keep personal data secure.

Transfer Mechanisms: Transfer mechanisms ensure that personal data is offered the same level of protection as the UK GDPR provides when that personal data leaves the UK.

U

UK GDPR: After Brexit, the GDPR was incorporated into UK law and is known as the UK GDPR.