Last updated: February 2024


Aggregate/Aggregated (e.g. “aggregated data insights”): To aggregate means to combine into a single group or total, and present as a summary. “Aggregated data insights” therefore refers to a summary of information or insights relating to a set of data rather than a singular individual or characteristic.

Anonymise/Anonymisation To anonymise means to irreversibly prevent identification of individuals within a data set. Organisations anonymise data to make it more secure and to help them comply with their data protection responsibilities.


Biometric Data: Biometric data according to the GDPR is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”. Facial recognition, voice recognition and fingerprint data are all examples of biometric data according to the GDPR.


CRAIN: CRAIN is the privacy notice, produced jointly with Experian and Transunion (the other key credit reference agencies (CRAs)) to explain how CRAs process personal data for core credit referencing activities. These activities often relate to personal data that has not been collected directly from the individual.

CRA: Credit reference agency. The three main CRAs in the UK are Equifax, Experian and TransUnion.


Data Controller: Any person, partnership or company who determines how and why personal data is processed. A third party may carry out processing on the controller’s behalf, although the data controller remains responsible for the processing.

Data Processor: A person, partnership or company who processes personal data for a data controller, other than the controller’s employee. Outsourced IT and HR service providers may be processors.

DPA: In most countries, national data protection authorities (DPAs) or regulators have been established to be the guardians of data protection. In the UK, the DPA is the Information Commissioner’s Office (ICO).

DPO: Data Protection Officer. 

Data Subject: A living individual, of any nationality and age, who personal data relates to.

DSAR or Data Subject Access Request: This is a request made by an individual who wants to see a copy of the personal data an organisation holds about them and other supplementary information relating to this processing. 

DSRs or Data Subject Rights: Data subjects have a number of rights under data protection laws including the right of access (commonly known as a data subject access request (DSAR)), the right to erasure and the right to object.


FCA: The Financial Conduct Authority, the financial regulatory body in the UK.

FPA: Fraud Prevention Agency, an organisation that collects, maintains and shares data on known and suspected fraudulent activity.


GDPR: General Data Protection Regulation, the European data protection law.


Information Commissioner’s Office (ICO): The DPA for the UK.


Natural Person: A term that appears often in the GDPR/UK GDPR. It is used to distinguish a real individual from a legal person such as a company.


Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal Data: Data relating to a living individual who can be identified from that data, either alone or with other information in the data controller’s possession. Personal data does not have a set specific exclusive list of things that are personal data (like the lists that define PII in some US laws). Personal data includes opinions about, and intentions in relation to the data subject. 

Processing: Obtaining, recording, holding, or carrying out any operation on personal data. It includes organisation or alteration; retrieval or use; disclosure and anonymisation, blocking or destruction. Most use of personal data will constitute processing.

Profiling: Profiling is the automated processing of personal data to evaluate things about an individual and assign a profile to them. Personal data is analysed to identify links between behaviours and characteristics to classify people into different groups or sectors, therefore creating profiles for individuals.

Pseudonymisation: Often confused with anonymisation but with pseudonymisation the individual can still be identified – for example, at its most basic level changing an employee’s name to an identification number instead and removing all of their other personal details could be pseudonymisation. 


Right to Erasure: The right to erasure allows individuals to request that an organisation erases their personal data. This right is not an absolute right and only applies in certain circumstances.  

Right to Object: The right to object gives individuals the right to object to the processing of their personal data. The right to object is only an absolute right when in relation to direct marketing.


SA or Supervisory Authority: Another name for a Data Protection Authority (DPA).

Segmentation: Segmentation is the process of dividing into segments, for example dividing individuals into groups based on similar behaviours or characteristics.

Special Categories of Personal Data: Special categories of personal data are more sensitive in nature and therefore require higher levels of protection. Special category personal data includes:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health; or
  • data concerning a natural person’s sex life or sexual orientation.

Suppression: Suppression refers to the process of ensuring an individual’s personal data is not used for direct marketing purposes. A suppression file or list will store information relating to individuals who, depending on the circumstances, should not be sent direct marketing, e.g. individuals who have moved address or those who have opted-out of receiving direct marketing.


Technical and Organisational Measures (TOMs): Data protection laws say that organisations must implement appropriate technical and organisational measures to keep personal data secure. 

Transfer Mechanisms: Transfer mechanisms ensure that personal data is offered the same protection as the UK GDPR provides when that personal data leaves the UK.


UK GDPR: After Brexit, the GDPR was incorporated into UK law and is known as the UK GDPR.