GDPR Data Controllers and Processors
One of the key features of the GDPR is it’s “Data Controllers and Processors” – which plays a key role in compliance under the new EU law.
In short the Data Controllers and Processors are individuals/entities in an organization with the responsibility of ensuring consumer data is handled and used in accordance to the law.
These processors and controllers could be anyone from an IT person running a query on a database to an HR person reading a consumer file. The amount of people handling data within an organization generally makes it tricky to properly comply with law.
In some sense data controllers are on the top of the hierarchy for the GDPR. The controllers are responsible for any interaction of data and data processors, sub-processors, etc.
While the data controller may not directly process any data themselves, they are directly responsible for the manner of which the data is processed.
The specific responsibilities of the controller outlined in Article 24 of the law is as follows:
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Data processors while similar in many ways to the controllers (they can often be the same entity) have some key differences in how they function.
In short a data processor processes user data. This processing can range from reading a physical file to automatically inserting information into a database.
From the GDPR article 4 – the data processor is defined as:
“‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; “
Where the act of processing is defined as:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “
Another consideration for processors is the fact that it is not necessary for the processor to be explicitly apart of the organization.
Rather processors can often be third parties such as marketing/analytics agencies or law firms that process personal information on behalf of the organization.
With all the nuances between data processors and controllers it is important for any organization interested in becoming GDPR compliant to understand whom within and externally controls and processes consumer information.
Failure to do so enhances the risk that data is mismanaged – potentially violating the law.