Customer Stories
sunsweet-making-a-difference-featured

Making a difference in our clients’ lives

We positively impact the lives of our clients beyond their KPI reports.

Learn How

Marketing Strategy

Controller, Processor & Data Protection Responsibilities

| 11 Minutes to Read
Image of a white padlock surrounded by security icons in a blue background.
Summary: Data controller vs. Data processor: who is impacted and when does an organization need to hire a Data Protection Officer? Read more here.

Editor's Note: This post was originally published in March 2018 and has been updated with additional content on December 2020.

The buzz about the European Union’s upcoming General Data Protection Regulation (GDPR) is gathering steam as the date of enforcement, i.e., May 25th, 2018, draws close. One of the much-discussed elements of this law is the new guidelines it has laid down for data controllers and processors. While the GDPR retains some of the obligations that the Data Protection Directive places on both parties, it has introduced some new ones too. In this blog, we will discuss the data processor and controller responsibilities that the GDPR has conferred on each, and provide insights into how an organization, whether it is a controller or a processor, can start preparing itself to be GDPR-ready.

Who is a Data Controller? What is the Definition of a Data Processor?

In today’s digital world, data collection and storage is more of a norm than an exception. Businesses may collect individual data for advertising, marketing, analytical, or research purposes. Each time a business collects and processes an individual’s personal data, it does so as a ‘controller’ or a ‘processor.’ In Chapter 1, Article 4 of the GDPR the two are defined as below:

‘Controller’ is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

If an organization controls and is responsible for the personal data that it holds, it is a data controller. If, on the other hand, it holds the personal data, but some other organization decides and is responsible for what happens to the data, then it is a data processor

Data Controller vs. Data Processor: Who is Impacted by the GDPR?

The answer to this is both. Under the outgoing Data Protection Directive 95/46/EC, only controllers are liable for data protection noncompliance. However, the EU General Data Protection Regulation (GDPR) will strike a balance by allotting direct obligations to data processors as well.

According to Article 83, in the case of non-compliance, fines can be applied to both controllers and processors. These fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”

This represents a significant change and will dramatically increase the risk profile for entities, such as cloud and datacenter providers, that act as data processors. However, the impact will also be felt by controllers who engage their services as the increased cost of compliance may lead to a consequent increase in the cost of the processors’ services. Controllers will also have to be extra vigilant about the processors they engage with and ensure that they have the technical and operational measures required to be GDPR-compliant.

What is the Main Responsibility of a Data Controller?

Now that we have established that the controller and processor will share data protection obligations, let’s delve deeper into their responsibilities.

The data controller is the principal party for data collection responsibilities. These controller responsibilities include collecting individuals’ consent, storing the data, managing consent-revoking, enabling the right to access, etc. In addition, it has to possess the ability to demonstrate compliance with the principles relating to the processing of personal data. These principles are listed in the GDPR as “lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”

The GDPR provides additional detail on how organizations can demonstrate that their processing activities are lawful.

If an individual revokes consent, the controller will be responsible for initiating this request. Therefore, on receipt of this request, it will be required to ask the processor to remove the revoked data from their servers.

If several organizations share the controller responsibilities for the processing of personal data, the EU GDPR includes the existence of joint controllers. The joint controller is expected to determine their respective controller responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact. Therefore, the GDPR makes joint controllers fully liable.

The outgoing Directive exempts controllers from liability for harm arising in cases of force majeure or unforeseeable circumstances that prevent them from fulfilling their contractual agreement. However, the GDPR contains no such exemption, meaning controllers may bear the risk in force majeure cases.

The controller will have to record all data breaches. In addition, they are obliged to disclose any data breaches to GDPR-enforcing authorities on demand. Since the 72-hour deadline for reporting data breaches is likely to prove extremely challenging for the data controller, experts advise organizations to appoint a person to take responsibility for reviewing and reporting data breaches and implement clear data breach reporting policies and procedures, as required.

The controller is expected to work only with processors with the appropriate technical and organizational measures to comply with GDPR guidelines. In other words, data controllers, i.e., customers of GDPR data processors, shall only choose processors that comply with the GDPR or risk penalties themselves.

As supervisory authorities enforce penalties on controllers for lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure controllers who wish to avail their services. They may also need to take steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing. However, processors outside the EU may likely resist the imposition of these new obligations, potentially making it harder for controllers to appoint their desired processors lawfully, resulting in a more complex negotiation of outsourcing agreements.

What Will a Data Processor Have to do to be GDPR Compliant?

The processor is forbidden from using personal data it is entrusted with for purposes other than the ones outlined by the data controller. Upon request, the processor has to delete or return all personal data to the controller at the end of the service contract.

It can transfer personal data to a third country only after it receives legal authorization.

It has to obtain written permission from the controller before engaging a subcontractor and assume full liability for failures of subcontractors to meet the GDPR.

The processor has to enable and contribute to compliance audits conducted by the controller or a controller representative.

If there is a data breach, the processor is expected to notify the data controllers without undue delay

A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria:

  • Employs 250 or more persons
  • Processes data that is “likely to result in a risk to the rights and freedoms of data subjects.”
  • Processes data more than occasionally.
  • Processes special categories of data as outlined in Article 9(1)
  • Processes data relating to criminal convictions

Processors will also need to review existing data processing agreements to ensure they have met their compliance obligations under the GDPR.

Who is Required to Appoint a DPO?

The concept of a ‘Data Protection Officer’ (DPO) for organizations processing personal data has been a mandatory requirement in some countries and best practice in others. However, the GDPR will make the appointment of a DPO compulsory for organizations regardless of their size or whether they are processing personal data in their capacity as a data controller or a data processor in select circumstances.

Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a data controller or data processor is mandatory:

  1. A public authority carries out the processing;
  2. The core activities of the controller or processor consist of processing operations that require regular and systematic processing of data subjects on a large scale; or
  3. The core activities of the controller or processor consist of processing on a large scale sensitive data or data relating to criminal convictions/offenses.

Core activities here refer to a controller or processor’s key operational activities. This does not include supporting activities such as payroll or IT support which are ancillary functions.

Organizations take into account several factors when determining if their processing is of ‘large scale.’ These include:

a) the number of data subjects concerned;
b) the volume of data or range of data items;
c) the duration of the processing; and
d) the geographical extent of the process.

Regular and systematic monitoring includes all forms of tracking and profiling on the internet. It is, however, not restricted to the online environment and could also have offline activity. ‘Regular’ monitoring will mean ongoing or occurring at particular intervals for a specific period; recurring or repeated at fixed times, or constantly or periodically taking place. ‘Systematic’ monitoring refers to monitoring that happens according to a system, pre-arranged, organized or methodical, taking place as part of a general plan for data collection, or carried out as part of a strategy.

It is also important to note that if an organization does not meet the requirements in the GDPR but instead voluntarily decides to appoint a DPO, then the same requirements that apply to mandatory DPOs will still apply. Therefore, if an organization chooses not to appoint a DPO, it is advised to document those reasons.

Qualifications of a Data Protection Officer

While the GDPR does not specify their precise credentials, a data protection officer is expected to have enough professional experience and knowledge of data protection law. This expertise should be proportionate to the type of processing the organization carries out and the level of protection the personal data requires.

Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.  

What Are the 7 Principles of the General Data Protection Regulation (GDPR)?

The way organizations collect, store, and use personal data is governed by the rules and regulations of the GDPR. The guidelines stipulated by the GDPR include:

1. Lawfulness, fairness, and transparency

Full transparency about the disclosure of how data is used is compulsory for all organizations in the UK. Should a data subject request more information about how their data is stored, used, and distributed, it has to be disclosed to them within a specified time frame as stipulated by the GDPR.

2. Purpose limitation

Organizations must state the reasons they are using the data subject's information. It can only be used, stored, and processed for this purpose and this purpose unless otherwise stipulated and agreed to by the data subject. This is not, however, strictly applied to information gathered for the purpose of scientific, statistical, or historical uses.

3. Data minimization

As the name suggests, only data that is required for the purposes for which it was collected should be used. In other words, data collected should not just be stored for a ‘just in case' scenario. It should be used as and when it is needed according to the organization's requirements. Any additional information that is kept over and above this is considered unlawful.

4. Accuracy

Accuracy of information is paramount to complying with the regulations as stipulated by the GDPR. Data subjects also hold the right to request that incorrect information be deleted within 30 days if their information is incorrect, incomplete, or outdated.

5. Storage limitation

Data should only be stored for as long as the information is needed by the organization for its intended use. There should be a framework in place for review purposes to ensure that outdated information is purged from the system. This does not apply to data stored for historical or statistical purposes.

6. Integrity and Confidentiality

Organizations must ensure that the data subjects’ personal information is always protected. This gives credence to the organization’s ability to handle personal data with integrity. It provides the data subjects peace of mind that their personal information won't be exposed online or interfered with by hackers who use malware and phishing methods to obtain data illegally.

7. Accountability

Accountability precedes transparency. This means that organizations must show that they have taken the necessary steps and followed the guidelines stipulated by the GDPR to ensure that they exhibit the principle of transparency.

Some of these data handling guidelines include implementing and evaluating the guidelines of the GDPR, appointing a supervisor in charge of data protection, and ensuring that the required consent is obtained at all times for data processing purposes.

Some Common Questions About Data Handling

Is Google a Data Controller?

Google controls data and is not a data processor, which means that data doesn't necessarily need to be stored and can be erased at any time, subject to the agreements that Google has with its third-party publishers. An organization is therefore implicitly bound by these guidelines if they are the third party that collects and stores information.

What is the role of the processor?

The processor assimilates and compiles collected data and processes this data under the guidance and authority of the data controller with the goal of obtaining clarity on how the company is performing.

What is the difference between a data controller and a processor?

The data processor falls under the data controller and is usually a third party acquired to process the data on behalf of the data controller who controls what the information is used for.

What is the role of the data controller?

The data controller, in essence, oversees how data is used, controls and supervises the duties of the data processor, and ensures that data is used, stored, and processed by the guidelines of the GDPR.

They also oversee the process from obtaining data consent to enabling data usage for the required purposes. In addition, they determine how the data is to be used and what specific data is needed to fulfill the purpose and objectives of the organization.

A data controller will control how data is collected from data subjects, ensuring that the required consent is obtained from the users. In addition, they will appoint a Data Protection Officer to ensure that all information remains confidential as governed by the GDPR.

Who can be a data controller GDPR?

The data controller can be any natural person, organization, or other authorized body that is responsible for how the data is controlled; they determine what the data is used for and is the person (usually the manager or owner of the website) that the data processor reports to.

How long can a company keep my data?

The length of time that data can be held by an organization is determined by the data subject. They can request for complete erasure of their data at any time, and the organization must comply.

The place of the data controller

There is a hierarchy and a place that the data controller falls into, which may appear at the top of the tier on the first appearance. But, ordinarily and in a perfect world, you would have the data controllers at the top of the hierarchy as a prominent role under the European Data Protection Board, under which will be the supervisory authorities that fall under the Data Protection Authorities beneath that the data processors.

However, categorizing the placement of a data controller is not so straightforward as the position of the data controller has many hats as they can also (if need be) process data. On the other hand, the top of the hierarchical structure could and should actually belong to the data subjects as their rights and the protection thereof is what is of utmost importance to the GDPR.

Conclusion

The GDPR will affect organizations in many ways, beyond data security and policies. Businesses that will be impacted must seek help or legal counsel if required. At the very least, they need a clear plan of action that includes training on GDPR, revisiting their data flow and processing mechanisms, previewing their privacy practices and policies, the way they leverage third-party data, and more. To get started on becoming GDPR-ready, we invite you to download our “12-Point Checklist to Help Prepare Your Organisation for GDPR” by clicking here.

Sources: 
General Data Protection Regulation - GDPR
Guide to the UK General Data Protection Regulation (UK GDPR)
Data Protection Officer – do you need to appoint one?
Chapter 10: Obligations of controllers – Unlocking the EU General Data Protection Regulation

The Best Digital Marketing Insight and Advice

The WSI Digital Marketing Blog is your ideal place to get tips, tricks, and best practices for digital marketing.