Skip to content

General Data Protection Regulation (GDPR) glossary for schools

There are many specialised words and terms associated with the General Data Protection Regulation (GDPR). These are the most common ones.

Binding Corporate Rules (BCR)
Corporate rules to allow multinational organisations such as multi national school networks to safely and legally transfer data internally (within the organisation) but across EU borders.
Freely given, specific, informed and explicit consent by statement or action by the student, parent, staff member or any person signifying agreement to the processing of their personal data. read more about consent
Data Controller
This is the school. Determines the purposes, conditions and means of the processing of personal data.
Data Portability
The requirement for schools to provide the student, parent, staff member with a copy of his or her data in a format that allows for easy use with another school or data controller.
Data Processor
The supplier, like MySchool, school management system, that processes data on behalf of the school (Data Controller).
Data Protection Authority (DPA)
National authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.  Find your DPA
Data Protection Officer (DPO)
An expert on data privacy who works independently to ensure that a school or supplier is adhering to the policies and procedures set forth in the GDPR. READ: The DPO
Data Subject
Students, staff, parents or any person whose personal data is processed by the school or by the school management system supplier.
Encrypted Data
Personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.
Personal Data
Any information related to the student, teacher or member of staff, that can be used to directly or indirectly identify the person.  Read: Unpacking Personal Data under the GDPR
Personal Data Breach
A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.
Privacy by Design
A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Privacy Impact Assessment (PIA)
A tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.
Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Any automated processing of personal data intended to evaluate, analyse, or predict student, parent or staff behaviour.
The processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.
Entity to which the personal data are disclosed.
Any person in the Union explicitly designated by the controller to be addressed by the supervisory authorities.
Right to Access
It entitles the student, parent or staff member etc to have access to and information about the personal data that the school has concerning them.
Right to be Forgotten (RTBF)
Also know as 'right to erasure'. Entitles the Student, Parent, Staff member etc (data subject) to have the school erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
General Data Protection Regulation. New data privacy and protection regulations which will replace individual data protection laws in all EU countries on 25th May 2018. read more