So are you a data controller or a data processor? It’s important to understand this distinction as it defines your responsibilities under EU data protection law. Previously, data processors could avoid direct liability under the law. But by placing new obligations on data processors, the GDPR changes things.
Here, we’ll explain these changes, help you correctly identify whether you fall into the processor or controller camp and outline the obligations that apply to your organisation.
What is “personal data”?
If your organisation “processes personal data”, then the GDPR applies to you. So first off, it’s important to be clear on the meaning of “personal data”, and what it actually means to “process” it.
Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details, and Web identifiers. It also includes sensitive (or special category) personal data such as genetic and biometric information.
Whether or not the information you hold could identify someone depends on context. So let’s say you don’t know someone’s real name. But you do know their username on your website – or you have information on their preferences and location through cookie data. This can constitute “personal data”.
It’s not just businesses who sell to consumers who have to pay attention to the GDPR. Much of the info you hold on your employees will be covered. And let’s say you have a list of work email addresses for business buyers, that’s “personal data” too.
Do you “process” it?
“Data processing” is a very broad term. Basically, it means anything that is done to or with personal data. You might collect it either manually or automatically, analyse it, use it for marketing or research purposes, or simply store it on behalf of someone else. In all of these situations, you are “processing” that data.
Are you a data controller?
The data controller is the person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.
So let’s say you run an ecommerce business. You’re going to collect the ID, contact and payment details of customers. The primary purpose of this is pretty obvious; to execute orders! You might have secondary purposes in mind, too; making future sales predictions and telling existing customers about new offers, for instance. In this example, the “means of processing” might be via a Cloud-based CRM system.
Are you a data processor?
We’ve already seen that “data processing” is a very wide term. But a “ processor” has a very distinct meaning under the GDPR. This refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.
Back to the example of the ecommerce business. It offers an extended warranty period on its goods. In order to keep track of any claims that might arise from this, it has decided to keep all customer purchase records for a period of three years. It hires a company to store this data on its behalf via an online archive system. This company is a “data processor” on behalf of the ecommerce business.
Can you be a data processor and a data controller?
In certain circumstances, yes. Here’s an example…
You carry out data analytics work on behalf of charities. You’ve been tasked with analysing a particular dataset containing personal information and producing a future needs prediction report. You are a “data processor” for that client.
Meanwhile, for your own research purposes, you want to analyse the information from datasets from lots of clients to produce a meta-report (assuming you get consent from the data subjects!). You’re processing the same data as before, but this time, you’re using it for a purpose that you have control over. In other words, for this, you’re a “data controller”.