GDPR Data Privacy Primer for Small Business: Part 2 – Terms and Articles



In Part 1 of our GDPR series, we alerted SMBs to the likelihood of being subject to GDPR’s strict regulatory provisions. We answered basic questions about its operational and financial impact, including potential penalties, which, in case you missed them, can go as high as $24 million US dollars or 4% of global revenue, whichever is higher.

Here in Part 2, you will learn some essential vocabulary from the GDPR lexicon, including terms that seem familiar in a US business setting but whose meaning, according to European regulators, may differ greatly from your own.  We also point out GDPR Articles that reveal just how radical European privacy principles may feel to American business owners, especially in smaller organizations.

GDPR Chapters, Articles, Terms

The General Data Protection Regulation consists of 11 chapters, each containing a number of sections, Articles and essential terminology. We believe that all 11 chapters (and all 99 Articles) deserve US business leaders’ scrutiny. But given GDPR’s 200-plus pages of regulations, these three chapters may be a good place to get your feet wet:


  • Chapter 3–Rights of the Data Subject. Key concepts include: rectification of inaccurate data, right to erasure (aka right to be forgotten), and right to data portability.
  • Chapter 4–Obligations and Responsibilities of Data Controllers and Processors. Key concepts include: maintaining data security, controller/processor codes of conduct and record keeping, and role of the Data Protection Officer (DPO)–a new position that many US firms may soon  establish.
  • Chapter 8–Remedies, Liabilities and Penalties. Key concepts include consumers’ rights to: lodge a complaint, seek judicial remedies against supervisory authorities; and the imposition of administrative fines and penalties.


Conveniently, Article 4, from the General Provisions chapter, contains 26 essential terms, including those provided for you below.

Key GDPR Definitions

As a prelude, know that European regulators refer to people as ‘identifiable natural persons’ and ‘data subjects,’ whose information is collected and/or handled by ‘controllers’ or ‘processors.’ So, given that, what’s considered ‘personal data’ and what isn’t?

Personal Data: any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify the individual, such as: name, an identification number, location data, an online identifier, or factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

Data Subject: a natural person whose personal data is handled by a controller or processor.

Data controller: the entity that determines the purposes, conditions and means of the processing of personal data. Example: Company A commissions Company B to conduct research on A’s behalf;
B decides whom to target, which data to collect, and methods of processing, using and storing the data. This makes Company B the controller.

Data processor: the entity that processes data on behalf of the data controller. Example: Company A supplies data to Company B, a payroll management firm, for processing, providing explicit instructions and data-handling requirements. Under GDPR, the processor is Company B.

Consent: freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.

Right to be Forgotten (data erasure) entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

Pseudonymisation: the processing of personal data so that it can no longer be attributed to a single data subject without the use of additional data, so long as the additional data stays separate to ensure non-attribution.

Profiling: any form of automated processing to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects regarding the person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

While it’s true that the GDPR won’t immediately affect all U.S. businesses, those who must comply may find themselves in the 11th hour–possibly in need of an IT Managed Services Provider (IT MSP) to provide last minute guidance, security solutions or infrastructure upgrades. If that’s you, contact TeamLogic IT today.