2018-07-25 09:39:09
When it comes to GDPR, understanding who your organization is translates into knowing what your rights and obligations are in regards to the holding and processing of personal data.
One of the first things they teach at law school is to understand what obligations and responsibilities someone has in any given situation. Knowing who’s who in any relationship is crucial, especially when something goes wrong.
When it comes to GDPR, understanding who your organization is translates into knowing what your rights and obligations are in regards to the holding and processing of personal data.
According to GDPR, organizations need to understand the difference between data controllers and data processors. Depending on which of these your organization falls under, GDPR sets obligations and limits to what you can do with the personal data, and who is responsible for what.
What is a Data Controller?
A data controller is a central figure when it comes to protecting the rights of the data subject (a.k.a. the individual).
The data controller, as its name implies, controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used.
The data controller can also process the data by its own means. There may be situations, however, where a data controller needs to use an external service to process the data further.
In this case, the data controller allows another company to process the personal data. This does not mean that the data controller gives “control” to another organization. The data controller remains in control by instructing the purpose and ends to which that company can process the data.
These situations are ever more common in today’s interconnected economy. This is why we must also clarify the role of the data processor.
What is a Data Processor?
As we have just seen, the data controller can use an external organization to carry out the processing of the data it controls. These organizations that process the data on behalf of the data controller are called data processors.
It is important to point out that the data processor does not control the data and cannot change the purpose or use of the particular set of data. The data processor is limited to processing the data according to the instructions and purpose given by the data controller.
A good way to think of a data processor is as a specialized technical partner, appointed to carry out specific tasks to accomplish the goals set by the data controller.
Why is this distinction important?
In a perfect world, the data controller and data processor would know exactly their roles and the communication between them would be seamless. Unfortunately, the real world is far from perfect and therefore GDPR establishes a framework and roles in case problems arise.
A common example where knowing one’s role is crucial, is a data breach. In such a case, the companies that have been affected by the breach must ensure that they have all acted accordingly within the limits of their responsibilities.
OK, so what?
In today’s business world it is important to understand that almost all businesses outsource some part of the processing to an external data processor. As a data controller, one must ensure that the data processor(s) are aware of their GDPR obligations.
A common recommendation is to make sure there is a clear and specific data processing agreement before handing over the processing to a third party. It is important to know what your company’s involvement is in regards to the particular data that you are handling.
How do I know if I am a data controller or a data processor?
As in many areas of our lives, things are not always black and white. In some particular cases, there may be grey areas that would need additional legal expertise to clear things up.
To get you started, here is a quick guide to help you understand your role when handling personal data.
You may be a data controller if your organization decides:
to collect the personal data and has the legal basis for doing so;
which items of personal data to collect;
to modify the data;
the purpose or purposes the data are to be used for;
whether to share the data, and if so, with whom;
how long to retain the data.
Your organization may be a data processor if it is instructed by a data controller to carry out some of the following tasks:
implement IT systems or other methods to collect personal data;
use certain tools or techniques to collect personal data;
install the security surrounding the personal data;
store the personal data;
transfer the personal data from one organization to another;
These lists are not exclusive and grey areas (a.k.a. uncertainties) may arise. We hope that this article has helped you understand a bit better the distinction between a data controller and data processor.
It is a distinction that can help you understand your organization’s role once GDPR comes into force. If you are still having doubts and concerns, it is always recommended that you consult with a legal expert on the matter.