Key GDPR definitions

It is useful to understand a few key terms.
Personal data is information about a living person. This includes names, addresses, health information, and so on. It covers any information that can be linked to a living person, such as email addresses and ID numbers. Some personal data is called ‘special category data’, which refers to sensitive types of information about things like health, ethnicity, religion, etc.
Data subjects are living people. The GDPR isn’t interested in data about companies or dead people.
Processing is nearly anything you do with personal data. This includes things like storing it somewhere, putting bits of data together (like recording marks next to a student’s name), entering the data into a spreadsheet and deleting the data. The GDPR is only interested in data processing activities relating to personal data.
Controllers are the organisations that use the personal data. They are responsible for deciding what to do with the personal data and how to process it to achieve that. Nearly every organisation is a controller because they have data about their employees. A lot of organisations are controllers because they want to process the personal data of other people. Schools are controllers because they want to process the personal data of staff and students.
Processors are organisations that do processing on behalf of a controller. For instance, if your school uses a payroll company to manage salaries, that’s a processor. The school wants the data processed and the payroll company does that for it. The school may also be a data processor for organisations such as the Department for Education (DfE) where they want the school to process information about staff and/or pupils. Where there is a legal requirement to process data on behalf of another organisation, however, the school will be the controller. An organisation can be both a controller and a processor for different processing activities.