GDPR 101: The key terms you need to know

The entire piece of GDPR legislation is more than 250 pages long and is probably most appropriate of your legal team. However, even shortened and “dumbed-down” GDPR guides contain many terms that you need to understand to implement a compliance strategy. So, we’ve created glossary of key terms to know to help you decide which of the obligations of GDPR apply to your organization.

As we get closer to GDPR, many posts on this blog will use the terms below. Feel free to bookmark this one for future referral.


Consent – of the data subject means any freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.

Data Controller – the entity (organization) that determines the purposes, conditions and means of the processing of personal data.

Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.

Data Processor – the entity that processes data on behalf of the Data Controller

Side Question: What’s the difference between a data controller and data processor?

A: Control, rather than possession, of personal data is the determining factor. The data controller is the organization that determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). A data processor could include storage of the data on a third party’s servers, or appointing a data analytics provider.

Data Subject – a person whose personal data is processed by a controller or processor

Personal Data – any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Pseudonymous Data – Unlike personal data, pseudonymous data is personal data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a “key” that allows the data to be re-identified.

Right to Access – also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.

Please note that the terms and definitions below are qualified in their entirety by the GDPR text itself, which can be found here. SugarCRM disclaims any responsibility to update the terms and definitions below and the list below is not intended to be a comprehensive list of key terms. You should consult your counsel and/or compliance team regarding GDPR.

Originally posted on February 14, 2018: GDPR 101: The key terms you need to know | SugarCRM Blog