Organisations handle personal data in different ways. Some organisations referred to as “data controllers” call the shots, as they decide what the data is for and how it’s used. Others essentially do what they are told; they process the data on behalf of the data controller, and these are known as “data processors”.
So are you a data controller or a data processor? It’s important to understand this distinction as it defines your responsibilities under EU data protection law. Previously, data processors could avoid direct liability under the law. But by placing new obligations on data processors, the GDPR changes things.
Here, we’ll explain these changes, help you correctly identify whether you fall into the processor or controller camp and outline the obligations that apply to your organisation.
What is “personal data”?
If your organisation “processes personal data”, then the GDPR applies to you. So first off, it’s important to be clear on the meaning of “personal data”, and what it actually means to “process” it.
Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details, and Web identifiers. It also includes sensitive (or special category) personal data such as genetic and biometric information.
Whether or not the information you hold could identify someone depends on context. So let’s say you don’t know someone’s real name. But you do know their username on your website – or you have information on their preferences and location through cookie data. This can constitute “personal data”.
It’s not just businesses who sell to consumers who have to pay attention to the GDPR. Much of the info you hold on your employees will be covered. And let’s say you have a list of work email addresses for business buyers, that’s “personal data” too.
Do you “process” it?
“Data processing” is a very broad term. Basically, it means anything that is done to or with personal data. You might collect it either manually or automatically, analyse it, use it for marketing or research purposes, or simply store it on behalf of someone else. In all of these situations, you are “processing” that data.
Are you a data controller?
The data controller is the person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.
So let’s say you run an ecommerce business. You’re going to collect the ID, contact and payment details of customers. The primary purpose of this is pretty obvious; to execute orders! You might have secondary purposes in mind, too; making future sales predictions and telling existing customers about new offers, for instance. In this example, the “means of processing” might be via a Cloud-based CRM system.
Are you a data processor?
We’ve already seen that “data processing” is a very wide term. But a “ processor” has a very distinct meaning under the GDPR. This refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.
Back to the example of the ecommerce business. It offers an extended warranty period on its goods. In order to keep track of any claims that might arise from this, it has decided to keep all customer purchase records for a period of three years. It hires a company to store this data on its behalf via an online archive system. This company is a “data processor” on behalf of the ecommerce business.
Can you be a data processor and a data controller?
In certain circumstances, yes. Here’s an example…
You carry out data analytics work on behalf of charities. You’ve been tasked with analysing a particular dataset containing personal information and producing a future needs prediction report. You are a “data processor” for that client.
Meanwhile, for your own research purposes, you want to analyse the information from datasets from lots of clients to produce a meta-report (assuming you get consent from the data subjects!). You’re processing the same data as before, but this time, you’re using it for a purpose that you have control over. In other words, for this, you’re a “data controller”.
What are the obligations of a data controller?
It’s true that the GDPR puts new compliance obligations on processors (more on these shortly). That said, it’s still the case that primary responsibility for compliance rests with the controller. In other words, it’s your job to make sure individuals’ rights are upheld.
From the “right to be forgotten” to IT security, there’s a lot to cover here. Good news, though; The Privacy Compliance Hub gives the full lowdown on all areas of compliance data controllers need to get to grips with. Clients can dip into it whenever anything compliance-related crops up.
A few controller obligations deserve special mention here:
- Get registered (if you’re not already). Organisations that decide how personal data is processed must register with the regulator (in the UK, it’s the ICO). There’s a handy registration self-assessment tool for this.
- Get on top of your documentation. In areas such as defining what data you need to collect, data sharing and security breach management, the GDPR places obligations on you to maintain full records. The Privacy Compliance Hub can offer precisely the methodology you need to keep on top of this.
- Choose your processors wisely. If you outsource data processing tasks, you must look closely at potential partners’ privacy and security procedures. Only select data processors that provide proof that they will be able to perform their duties in compliance with the GDPR.
What are the obligations of a data processor?
The GDPR places new, direct statutory obligations on data processors. These include the following:
- Restrictions of subcontracting. As a processor, do you contract out certain activities (storage or formatting, for instance)? If so, the GDPR states that you need specific permission from the controller for this and you will need a contract with this subprocessor containing special provisions.
- Security and reporting. If you suffer a security breach, you must notify the controller “without undue delay”.
- Documentation. As with controllers, you are obliged to keep good records to demonstrate compliance. This includes a record of all categories of processing activities. Need to get to grips with this? The Privacy Compliance Hub can help.
Under the old law, the biggest risk faced by processors who failed to live up to reasonable standards was essentially a claim for breach of contract by the controller.
For processors especially, the GDPR marks a big shift. For the first time, processors face direct regulatory intervention – including reprimands and possible fines – in the event of a compliance breach. By identifying the procedures and tools you need to get compliance right, you should have everything you need to stay on top of your obligations.
For more information on data protection compliance, explore the rest of our hub here. If you’d like more information on how The Privacy Compliance Hub can bring your organisation up to speed quickly and securely, don’t hesitate to get in touch!