This is the person or persons who decides what happens to personal data - how it’s stored, processed, where it goes and doesn’t go. They may need to demonstrate to the ICO how personal data is managed and that they are complying with GDPR. Sometimes the firm could delegate this to a Data Protection Officer (DPO), but it’s still the controller’s ultimate responsibility. Remember that GDPR extends to any data processor across the globe, if it has access to data from EEA citizens.

It’s the DPOs responsibility to lead the way. They will monitor the use of data, ensure that appropriate controls are in place, provide support and arrange training, provide guidance to senior management and lay down the law! Most importantly there should be no barriers that may hinder them from performing their role. Preferably they should not be a decision maker for the business, as this may create a conflict of interest.

Any individual or organisation which uses, handles or has access to this data. When a data processor makes a decision which affects how the data is used, they become a controller and are responsible themselves for meeting the GDPR. In some cases there are more than one controller.

This is a person identified from the data they have freely supplied.

Any information relating to an identifiable person (the data subject) either directly or indirectly:

• Name

• Address

• National insurance number

• Email address

• Location data

• Online identifier

• Specific factors which relate to a person, such as physical, psychological, genetic, mental, economic, cultural or social identifiers of a person.

Information of a more sensitive nature affords the highest standards of protection e.g. health information, genetics, economic, social, sexual orientation etc.