GDPR terms and what they mean

Legal terminology can often be confusing, here are some brief explanations of term you’ll frequently hear when dealing with GDPR.

Information Commissioner’s Office (ICO)

The ICO is the independent regulatory body which deals with data protection in the UK. They advise on compliance to data protection legislation, handle complaints and may undertake audits of organisations. In more serious cases the ICO can serve enforcement notices, financial penalties and prosecute where a criminal offence has occurred. The most helpful thing the ICO provide is an online Guide to GDPR, which is long and detailed but well-indexed, searchable and a definitive source of information on GDPR. 

Data Subject

The person which the data is about.

Personal Data

Any information about a living individual, which is capable of identifying that individual.   It can be on paper as well as digital/electronic, and can be images, like photos or CCTV footage.

Sensitive Information

This is any information relating to an individual’s:

  • Racial or ethnic origin
  • Sexual orientation
  • Religious, political or trade union affiliation
  • Genetic or biometric data

This is also known as Special Category Information. Note that personal data of our congregations is considered as Special Category because Christian religious affiliation can be inferred because they are members of a Church. This means the data should be handled more carefully and with greater security than ‘normal’ personal data (although unhelpfully, the law is not specific about how much more securely). 

Data Controller

The legal entity that decides how the data is kept and used. A ‘legal entity’ can be a company, a charity, a PCC (as a charity), an incumbent or a Bishop. The Church of England, because of the way it is structured and instituted, has a great many ‘legal entities’. 

Data Processor

A different legal entity to the data controller, who is actually processing the data, on instructions from the data controller. Note that: 

  • A data controller can also process data
  • You can have joint data controllers (two legal entities which share the data) 


Almost anything you can imagine doing with data counts as ‘processing’: recording, disseminating, adapting, obtaining, destroying, organising, erasing, transmitting, retrieving, combining, altering, holding – all these activities count as ‘processing’ of data.

Last Updated

Jun 2024 – Reviewed and checked