To protect consumer data and privacy in the digital age, the GDPR comes into force on 25th May 2018. With it, legal obligations for data processors have increased tremendously.
But what’s the difference between a data controller and a data processor? (And yes, you can be both). And what are their obligations?
What is a data controller?
Under the GDPR, a data controller is “the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data”.
So the determining factor here is control, rather than possession. In plain English, the data controller is the person (or organisation) that decides why and how personal data is processed. They control the data but don’t necessarily store or process it, although they are responsible for how it’s used, stored and deleted.
What is a data processor?
A data processor, on the other hand, is “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
This could include something as simple as storing the data on a third party’s server, but also includes for example payroll companies, accountants and market research businesses.
What’s the difference for data controllers under GDPR?
As with the Data Protection Act (DPA), they continue to be legally obliged to:
- Notify the ICO (or the relevant national authority) before carrying out any data processing
- Provide information to individuals about, for example, your identity, what personal data of theirs you hold and what you plan to do with it
- Comply with data laws regarding the fair and lawful processing of personal data for specific and legitimate purposes
Data controllers must also:
- Protect personal data against compromise or loss through implementing technical and organisational measures
- Have a contract with your processors that require them to act only on your instructions and comply with data protection laws – now GDPR.
What’s the difference for data processors under GDPR?
It’s a whole different ball game for processors. Where previously, data processors could avoid legal liability, under the GDPR, processors have many more obligations. The most significant are that they are now required to:
- Maintain a record of all processing operations under their responsibility
- Maintain a record of all processing operations under their responsibility
- Be responsible for implementing appropriate security measures
- Inform the controller(s) immediately of any data breach
- Hold status as joint controller for any data processing they carry out beyond the scope of the controller’s instructions
- Appoint a Data Protection Officer, if their business processes ‘big data’ or sensitive data
If your organisation is still getting to grips with GDPR, check out these online training courses from Me Learning – across sectors, departments and up to Board level. Click here.