Certificate in GDPR Compliance · Glossary

Enforcement and Compliance

Expert-defined terms from the Certificate in GDPR Compliance course at London School of Planning and Management. Free to read, free to share, paired with a globally recognised certification pathway.

102 terms 15 min read Updated 2 May 2026
Enforcement and Compliance

Enforcement and Compliance #

Enforcement and Compliance refer to the processes and measures put in place to e… #

This involves monitoring and evaluating a company's activities to verify that they are in compliance with the requirements set forth by the GDPR. Enforcement mechanisms may include fines, penalties, audits, and other sanctions for non-compliance.

Enforcement #

Enforcement in the context of GDPR refers to the actions taken by regulatory aut… #

This can include conducting investigations, imposing fines, and taking legal action against companies that fail to meet the requirements of the GDPR.

Compliance #

Compliance, on the other hand, refers to the state of adhering to the rules and… #

Organizations must implement measures to ensure that they are compliant with the GDPR, such as appointing a Data Protection Officer (DPO), conducting regular data protection impact assessments, and maintaining records of processing activities.

Data Protection Officer (DPO) #

A Data Protection Officer (DPO) is a designated individual within an organizatio… #

The DPO acts as a point of contact between the organization and regulatory authorities and is responsible for monitoring compliance, providing advice on data protection impact assessments, and training staff on data protection requirements.

Penalties #

Penalties are fines or sanctions imposed on organizations for failing to comply… #

The GDPR allows regulatory authorities to impose fines of up to €20 million or 4% of annual global turnover, whichever is higher, for serious violations of the regulation.

Audits #

Audits are systematic examinations of an organization's data processing activiti… #

Audits can be conducted internally by the organization or externally by regulatory authorities. During an audit, the organization's data protection practices, policies, and procedures are reviewed to identify any areas of non-compliance.

Sanctions #

Sanctions are penalties imposed on organizations for non #

compliance with the GDPR. Sanctions can include fines, warnings, reprimands, orders to comply with data subjects' requests, and temporary or permanent bans on data processing activities. Sanctions are intended to deter organizations from violating data protection regulations and to protect the rights and freedoms of individuals.

Data Subject Access Requests (DSARs) #

Data Subject Access Requests (DSARs) are requests made by individuals to access,… #

Under the GDPR, organizations are required to respond to DSARs within one month and provide individuals with a copy of their personal data, information on how their data is being processed, and details on any third parties to whom their data has been disclosed.

Data Protection Impact Assessment (DPIA) #

A Data Protection Impact Assessment (DPIA) is a process used to identify and ass… #

Organizations are required to conduct DPIAs for high-risk processing activities to identify measures to mitigate risks and ensure compliance with the GDPR.

Records of Processing Activities #

Records of Processing Activities are documents that organizations are required t… #

Records of Processing Activities contain information on the types of personal data processed, the purposes of processing, data retention periods, and security measures implemented by the organization.

Privacy by Design and Default #

Privacy by Design and Default is a concept outlined in the GDPR that requires or… #

Privacy by Design means that data protection considerations are integrated into the development of new products and services, while Privacy by Default ensures that the highest level of data protection is set as the default option for users.

Data Breach Notification #

Data Breach Notification is the process of informing regulatory authorities and… #

Under the GDPR, organizations are required to notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach and to notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Data Processing Agreement #

A Data Processing Agreement is a contract between a data controller and a data p… #

Data Processing Agreements are required under the GDPR whenever a data controller engages a data processor to process personal data on its behalf and must include specific provisions to ensure compliance with data protection regulations.

Right to Erasure #

The Right to Erasure, also known as the Right to be Forgotten, is a data subject… #

Organizations must comply with requests for erasure unless there are legitimate grounds for retaining the data, such as for legal or regulatory purposes.

Data Minimization #

Data Minimization is a principle of data protection that requires organizations… #

Data Minimization helps reduce the risk of data breaches, ensures compliance with data protection regulations, and protects individuals' privacy by limiting the amount of personal data collected and stored by organizations.

Data Protection Authority (DPA) #

A Data Protection Authority (DPA) is an independent public authority established… #

DPAs are responsible for investigating complaints, conducting audits, issuing fines, and providing guidance on data protection issues to organizations and individuals.

Personal Data #

Personal Data is any information that relates to an identified or identifiable n… #

Personal Data is protected under the GDPR, and organizations must comply with strict rules and requirements when processing personal data to ensure the rights and freedoms of individuals are protected.

Data Controller #

A Data Controller is an entity that determines the purposes and means of process… #

Data Controllers are responsible for ensuring that personal data is processed in compliance with the GDPR, including implementing appropriate security measures, providing individuals with information on how their data is processed, and responding to data subject rights requests.

Data Processor #

A Data Processor is an entity that processes personal data on behalf of a data c… #

Data Processors are required to comply with the instructions of the data controller, implement appropriate security measures to protect personal data, and assist the data controller in meeting its obligations under the GDPR.

Joint Controllers #

Joint Controllers are two or more entities that jointly determine the purposes a… #

Joint Controllers are required to enter into a joint controller arrangement to clarify their respective responsibilities and obligations under the GDPR, including informing data subjects of their rights, responding to data subject requests, and ensuring compliance with data protection regulations.

Cross #

Border Data Transfers:

Cross #

Border Data Transfers refer to the transfer of personal data from one country to another. Under the GDPR, organizations are required to ensure that cross-border data transfers comply with data protection regulations, such as implementing adequate safeguards, obtaining data subject consent, or ensuring that the receiving country offers an adequate level of data protection.

Privacy Shield #

Privacy Shield was a data protection framework that allowed organizations to tra… #

However, the Privacy Shield was invalidated by the European Court of Justice in 2020 due to concerns about the protection of personal data transferred to the US.

Standard Contractual Clauses #

Standard Contractual Clauses are model contractual clauses approved by the Europ… #

Standard Contractual Clauses include provisions to protect personal data and ensure that data subjects' rights are upheld when personal data is transferred to countries outside the European Economic Area.

Binding Corporate Rules #

Binding Corporate Rules are internal data protection policies adopted by multina… #

Binding Corporate Rules must be approved by the relevant Data Protection Authority and provide safeguards for personal data protection consistent with the GDPR.

Data Localization #

Data Localization refers to the practice of storing and processing personal data… #

Some countries require organizations to store and process personal data locally to protect the privacy and security of data subjects. However, data localization requirements can pose challenges for organizations that operate globally and need to transfer data across borders.

Data Retention #

Data Retention refers to the practice of storing personal data for a specific pe… #

Organizations must establish data retention policies and procedures to ensure that personal data is retained only for as long as necessary and is deleted or anonymized when no longer needed.

Right to Access #

The Right to Access is a data subject right under the GDPR that allows individua… #

Organizations are required to provide individuals with a copy of their personal data and information on how their data is being processed upon request.

Right to Rectification #

The Right to Rectification is a data subject right under the GDPR that allows in… #

Organizations must respond to requests for rectification without undue delay and ensure that inaccurate or outdated personal data is updated to ensure its accuracy.

Right to Restriction of Processing #

The Right to Restriction of Processing is a data subject right under the GDPR th… #

Organizations must restrict processing upon request, such as when the accuracy of the data is contested, the processing is unlawful, or the data is no longer needed for the original purpose.

Right to Data Portability #

The Right to Data Portability is a data subject right under the GDPR that allows… #

Organizations must provide individuals with their personal data in a portable format upon request to facilitate data portability and enable individuals to transfer their data between services.

Children's Data #

Children's Data refers to personal data relating to individuals under the age of… #

The GDPR imposes specific requirements on organizations that process children's data, such as obtaining parental consent for data processing activities, providing privacy notices in child-friendly language, and implementing age verification mechanisms to protect children's privacy and ensure compliance with data protection regulations.

Data Breach #

A Data Breach is a security incident in which personal data is exposed, lost, or… #

Data Breaches can result from cyberattacks, human error, or technical failures and can pose risks to individuals' privacy and data protection rights. Organizations are required to report data breaches to regulatory authorities and affected individuals under the GDPR.

Notification Obligation #

Notification Obligation refers to the requirement under the GDPR for organizatio… #

Organizations must assess the severity of the breach, the risks to individuals' rights and freedoms, and the measures taken to mitigate the impact of the breach when determining whether notification is necessary.

Legitimate Interest #

Data Subject Rights #

Data Subject Rights are the rights granted to individuals under the GDPR to prot… #

Data Subject Rights include the right to access, rectification, erasure, restriction of processing, data portability, object to processing, and not to be subject to automated decision-making. Organizations must respect and facilitate data subject rights to ensure compliance with data protection regulations.

Automated Decision #

Making:

Automated Decision #

Making is the process of making decisions about individuals based solely on automated processing, such as algorithms or artificial intelligence, without human intervention. The GDPR imposes restrictions on automated decision-making that has legal or significant effects on individuals, such as the right to be informed about the logic involved, the right to challenge the decision, and the right to human intervention.

Data Protection Impact Assessment (DPIA) #

A Data Protection Impact Assessment (DPIA) is a tool used by organizations to id… #

DPIAs are required under the GDPR for high-risk processing activities, such as large-scale data processing, profiling, or systematic monitoring, and help organizations assess the impact of data processing on individuals and ensure compliance with data protection regulations.

Privacy Impact Assessment (PIA) #

A Privacy Impact Assessment (PIA) is a process used by organizations to assess t… #

PIAs help organizations identify and mitigate privacy risks, ensure compliance with data protection regulations, and enhance privacy protection for individuals. PIAs are similar to DPIAs but focus more broadly on privacy considerations.

Privacy Policy #

A Privacy Policy is a document published by organizations that outlines how pers… #

Privacy Policies inform individuals about their rights, the purposes of data processing, data retention periods, security measures, and contact information for data protection inquiries. Organizations are required to provide clear and transparent Privacy Policies to individuals to ensure compliance with the GDPR.

Data Processing Agreement (DPA) #

Data Subject #

A Data Subject is an individual who is the subject of personal data processed by… #

Data Subjects have rights under the GDPR to protect their personal data and privacy, such as the right to access, rectification, erasure, restriction of processing, data portability, and object to processing. Organizations must respect and facilitate data subject rights to ensure compliance with data protection regulations.

Data Protection Officer (DPO) #

A Data Protection Officer (DPO) is a designated individual within an organizatio… #

DPOs act as a point of contact between the organization and regulatory authorities, provide advice on data protection issues, monitor compliance with the GDPR, and ensure that staff are trained on data protection requirements.

Data Breach Response Plan #

A Data Breach Response Plan is a set of procedures and protocols established by… #

Data Breach Response Plans outline the steps to take when a data breach occurs, such as notifying regulatory authorities, assessing the impact of the breach, informing affected individuals, and implementing measures to mitigate the risks to individuals' rights and freedoms.

Data Protection Training #

Data Protection Training is a program provided by organizations to educate staff… #

Data Protection Training covers topics such as data protection principles, data subject rights, security measures, data breach response, and legal obligations under the GDPR. Training staff on data protection helps organizations prevent data breaches, protect individuals' privacy, and maintain compliance with data protection regulations.

Data Protection Impact Assessment (DPIA) Template #

A Data Protection Impact Assessment (DPIA) Template is a tool used by organizati… #

DPIA Templates provide a structured framework for assessing the impact of data processing on individuals' privacy and data protection rights, identifying risks and vulnerabilities, evaluating measures to mitigate risks, and ensuring compliance with data protection regulations. Organizations can customize DPIA Templates to fit their specific data processing activities and requirements.

GDPR Compliance Software #

GDPR Compliance Software is a technology solution used by organizations to facil… #

GDPR Compliance Software helps organizations streamline data protection efforts, ensure compliance with data protection regulations, and protect individuals' privacy and data rights.

Data Protection Impact Assessment (DPIA) Tool #

A Data Protection Impact Assessment (DPIA) Tool is a software application used b… #

DPIA Tools provide a user-friendly interface for assessing the impact of data processing on individuals' privacy and data protection rights, identifying risks and vulnerabilities, evaluating measures to mitigate risks, and ensuring compliance with data protection regulations. Organizations can use DPIA Tools to streamline the DPIA process, improve data protection practices, and enhance compliance with the GDPR.

Data Protection by Design and by Default #

Data Protection by Design and by Default is a principle outlined in the GDPR tha… #

Data Protection by Design means that organizations must consider data protection requirements when developing new products and services, while Data Protection by Default ensures that the highest level of data protection is set as the default option for users. Implementing Data Protection by Design and by Default helps organizations minimize data protection risks, protect individuals' privacy, and maintain compliance with the GDPR.

Data Protection Officer (DPO) Responsibilities #

Data Protection Officer (DPO) Responsibilities are the duties and tasks assigned… #

DPO Responsibilities include monitoring compliance with the GDPR, advising on data protection issues, conducting DPIAs, training staff on data protection requirements, responding to data subject rights requests, and acting as a point of contact between the organization and regulatory authorities. DPOs play a crucial role in ensuring that organizations protect individuals' privacy, prevent data breaches, and maintain compliance with data protection regulations.

Privacy Impact Assessment (PIA) Checklist #

A Privacy Impact Assessment (PIA) Checklist is a tool used by organizations to c… #

A Privacy Impact Assessment (PIA) Checklist is a tool used by organizations to conduct PIAs for projects, services, or systems that may impact individuals

More from Certificate in GDPR Compliance

Glossary
GDPR in Practice
Glossary
International Data Transfers
Glossary
Data Breaches
Glossary
Data Subject Rights
Glossary
Data Protection Principles
Glossary
Introduction to GDPR
May 2026 cohort · 29 days left
from £99 GBP
Enrol