Data controllers and data processors are an integral part of the GDPR. This article explains what those roles involve and helps you understand if you are a controller, processor or both.
The terms ‘data controller’ and ‘data processor’ have been around for years, but it’s only since the EU GDPR (General Data Protection Regulation) took effect that they’ve been scrutinised.
That’s understandable. The roles are closely related, both are integral to the GDPR, and a misunderstanding can lead to non-compliance and severe punishment. That’s why we’ve dedicated this blog to explaining everything you need to know about data controllers and data processors.
In a nutshell, a data controller is the person or group that decides when and why an organisation collects data. A data processor is the organisation that does the legwork; it processes the information on the controller’s behalf.
For example, a marketing executive at a retailer hires a company to conduct a survey on shoppers’ browsing habits. The executive (and the retailer generally) is the data controller, and the company conducting the survey is the data processor.
Sounds simple enough. Unfortunately, once you delve deeper into the practicalities of those roles, things get a lot more complicated.
Responsibilities of the data controller
A data controller takes top-level responsibility for data collection. If you have the authority to determine that information needs to be collected, you are a data controller.
But, of course, under the GDPR, you can’t just go ahead and start gathering that information. You need a lawful basis to do so, and it’s the data controller’s responsibility to determine and document this.
Data controllers must also determine:
- Which items of personal data to collect (names, contact information, gender, etc.);
- Which individuals to collect data about;
- Whether to disclose the data and, if so, to whom;
- Whether subject access and other individuals’ rights apply; and
- How long to retain the data or whether to make non-routine amendments to the data.
Multiple people or organisations might split these responsibilities, and the GDPR accounts for this. It’s possible to have several data controllers for the same activity, so that, for example, one controller is responsible for determining what data to collect and another is responsible for determining how to remain GDPR compliant.
Responsibilities of the data processor
The data processor must make sure that the data controller’s determinations are carried out correctly, and that data is collected and stored according to the GDPR’s requirements. Article 28 of the Regulation stipulates that the parties sign a contract to ensure this happens and to avoid ambiguity over responsibility if the processing is found to violate the GDPR’s requirements.
That’s not to say that the data processor is entirely at the whim of the data controller. They are responsible for:
- The logistics of data collection;
- How to store the collected information;
- Keeping the information secure;
- How to transfer the personal data;
- The method for ensuring a retention schedule is adhered to; and
- The means used to delete or dispose of the data.
Data controllers can also be processors, and other complications
Hopefully you now have a good grasp of data controllers and processors. However, one final complication you need to understand is that processors and controllers are never completely separate groups that are always either one thing or the other.
To return to our earlier example, the third party conducting the survey for the retailer is a processor for that activity, but a controller for others (such as gathering and storing information about its employees).
It’s also common for organisations to get their own employees to process information. In such cases, the organisations are both data controllers and data processors.
Want to learn more?
You can find out more about this topic by watching our webinar: The responsibilities of controllers and processors under the GDPR and how ongoing staff awareness can support compliance.
This webinar provides a comprehensive overview of the current regulatory landscape, including the GDPR, before moving on to the specifics of data controllers and processors. You’ll learn:
- The main responsibilities and obligations of controllers and processors;
- The role of controllers and processors in data breach and incident response management;
- The penalties and liabilities imposed on processors and controllers; and
- The limitations and restrictions of appointing joint controllers and subcontracting processors.