How an organisation implements GDPR depends on whether the organisation may be classed as a ‘data controller’ or ‘data processor’. Data controllers and processors have different roles that they must fulfil under GDPR; therefore, if an organisation is to meet its compliance requirements, it is essential they know how they are categorised. It is important to note that some organisations may fall into both categories.
There are several key differences between data controllers and data processors. Consider a company processing payroll data. GDPR would class this organisation as data processors, as they process data in a manner determined by their customers and for the purposes which their customers decide. Therefore, the customers would be the data controllers, as they determine the purpose and means of processing.
GDPR defines a data controller as an organisation which decides the reasons for which data must be collected and how that process occurs. Data controllers have many legal obligations under GDPR.
For example, data controllers are responsible for ensuring that the organisation’s data processing methods comply with GDPR. The accountability principle of Article 5 states that data must be “processed lawfully, fairly and in a transparent manner”. Therefore, data controllers must be able to prove to consumer and regulators that their practices are compliant with GDPR.
Article 5 outlines other stipulations which data controllers must follow, such as limiting the use of the data to “specified, explicit and legitimate purposes”. Data controllers must only process the minimum data needed for the purpose is processed, and the controllers must take steps to ensure the consumer data is accurate.
GDPR requires data controllers to maintain the confidentiality of the data. Data controllers protect data by requiring their data processors to follow a particular code of conduct. This code of conduct can help guarantee that the data processors follow the correct practices to protect consumer privacy.
This ‘data protection by design and by default’ approach is addressed in GDPR’s Article 25. This Article calls for the data controller to introduce “appropriate technical and organisational measures” to:
- Implement data-protection principles, such as data minimisation
- Ensure that, by default, only the data necessary for each specific purpose is processed
- Keep the period of the data storage to a minimum
- Ensure access to data is strictly limited to only those who require it
Sometimes, multiple data controller may be in charge of determining the goals and manner of processing. In such cases, they should designate the responsible parties for data protection, data minimisation, and the other data controller’s obligations under the law.
Controllers are also responsible for carrying out data protection impact assessments in certain circumstances.
Article 4 of the GDPR defines data processors as “a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller”. Data processors are critical to ensuring that the integrity of data is maintained as they handle and process vast amounts of information. Data controllers should conduct careful investigations into potential data processors to ensure that their practices are fully GDPR compliant. GDPR requires data controllers to conduct this research, and put strict agreements in place to ensure that processors fulfil their legal requirements.
Data Processors’ Responsibilities
Under GDPR, data processors must receive written permission from the relevant authorities and data controller before sub-contracting another organisation to process data. The processors must obtain a contract binding the subcontractor to the same standards to which the data processor is held. Any sub-contractor must comply with the GDPR-compliant procedures before transferring any data to a non-EU country. The processor must answer to the controller for any error committed by the sub-contractor.
Processors must ensure that adequate safeguards are in place to protect the integrity of sensitive data.
Data processors and controllers must work in tandem while conducting impact assessments. Processors must be able to answer any questions or objections posed to them. Importantly, they must be able to satisfy data subjects who choose to use their “right to be forgotten”, who request a copy of their data, or who object to the use of their data. These requests may initially be made by the data subject to the data controller, but the data processor must execute them.
It should be noted that in certain circumstances, data processors and data controllers may be required to appoint a Data Protection Officer (DPO). DPOs are needed when organisations process large amounts of data systematically or if the data is related to criminal and legal records.