Editor's Note: This post was originally published in March 2018 and has been updated with new content on November 2020.
The buzz about the European Union’s upcoming General Data Protection Regulation (GDPR) is gathering steam as the date of enforcement, i.e., May 25th, 2018, draws close. One of the much-discussed elements of this law is the new guidelines it has laid down for data controllers and processors. While the GDPR retains some of the obligations that the Data Protection Directive places on both parties, it has introduced some new ones too. In this blog, we will discuss the data processor and controller responsibilities that the GDPR has conferred on each, and provide insights into how an organization, whether it is a controller or a processor, can start preparing itself to be GDPR-ready.
Who is a Data Controller? What is the Definition of a Data Processor?
In today’s digital world, data collection and storage is more of a norm than an exception. Businesses may collect individual data for advertising, marketing, analytical, or research purposes. Each time a business collects and processes an individual’s personal data, it does so as a ‘controller’ or a ‘processor.’ In Chapter 1, Article 4 of the GDPR the two are defined as below:
‘Controller’ is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If an organization controls and is responsible for the personal data that it holds, it is a data controller. If, on the other hand, it holds the personal data, but some other organization decides and is responsible for what happens to the data, then it is a data processor
Data Controller vs. Data Processor: Who is Impacted by the GDPR?
The answer to this is both. Under the outgoing Data Protection Directive 95/46/EC, only controllers are liable for data protection noncompliance. However, the EU General Data Protection Regulation (GDPR) will strike a balance by allotting direct obligations to data processors as well.
According to Article 83, in the case of non-compliance, fines can be applied to both controllers and processors. These fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.”
This represents a significant change and will dramatically increase the risk profile for entities, such as cloud and datacenter providers, that act as data processors. However, the impact will also be felt by controllers who engage their services as the increased cost of compliance may lead to a consequent increase in the cost of the processors’ services. Controllers will also have to be extra vigilant about the processors they engage with and ensure that they have the technical and operational measures required to be GDPR-compliant.
What are the Data Controller’s Responsibilities?
Now that we have established that both the controller and processor will share data protection obligations, let’s delve deeper into their responsibilities.
The data controller is the principal party for data collection responsibilities. These controller responsibilities include collecting individual’s consent, storing of the data, managing consent-revoking, enabling the right to access, etc. It has to possess the ability to demonstrate compliance with the principles relating to the processing of personal data. These principles are listed in the GDPR as “lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
The GDPR provides additional detail on how organizations can demonstrate that their processing activities are lawful.
If an individual revokes consent, the controller will be responsible for initiating this request. Therefore, on receipt of this request, it will be required to ask the processor to remove the revoked data from their servers.
If there are several organizations that share the controller responsibilities for the processing of personal data, the EU GDPR includes the existence of joint controllers. The joint controller is expected to determine their respective controller responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact. The GDPR makes joint controllers fully liable.
The outgoing Directive exempts controllers from liability for harm arising in cases of force majeure or unforeseeable circumstances that prevent them from fulfilling their contractual agreement. The GDPR contains no such exemption, meaning that controllers may bear the risk in force majeure cases.
The controller will have to record all data breaches. They are obliged to disclose any data breaches to GDPR-enforcing authorities on demand. Since the 72 hour deadline for reporting data breaches is likely to prove extremely challenging for the data controller, experts advice organizations to appoint a person to take responsibility for reviewing and reporting data breaches, and implement clear data breach reporting policies and procedures, as required.
The controller is expected to work only with those processors that have the appropriate technical and organisational measures to comply with GDPR guidelines. In other words, data controllers, i.e., customers of data processors shall only choose processors that comply with the GDPR, or risk penalties themselves.
As supervisory authorities enforce penalties on controllers for lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure controllers who wish to avail their services. They may also need to take steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing. It is likely that processors located outside the EU may resist the imposition of these new obligations, potentially making it harder for controllers to lawfully appoint their desired processors, and resulting in more complex negotiation of outsourcing agreements.
What Will a Data Processor Have to do to be GDPR Compliant?
The processor is forbidden from using personal data it is entrusted with for purposes other than the ones outlined by the data controller. Upon request, the processor has to delete or return all personal data to the controller at the end of the service contract.
It can transfer personal data to a third country only after it receives legal authorization.
It has to obtain written permission from the controller before engaging a subcontractor and assume full liability for failures of subcontractors to meet the GDPR.
The processor has to enable and contribute to compliance audits conducted by the controller or a representative of the controller.
If there is data breach, the processor is expected to notify the data controllers without undue delay
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria:
- Employs 250 or more persons
- Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
- Processes data more than occasionally
- Processes special categories of data as outlined in Article 9(1)
- Processes data relating to criminal convictions
Processors will also need to review existing data processing agreements to ensure that they have met their compliance obligations under the GDPR.
Who is Required to Appoint a DPO?
The concept of a ‘Data Protection Officer’ (DPO) for organizations processing personal data has been a mandatory requirement in some countries and best practice in others. However, the GDPR will make the appointment of a DPO mandatory for organizations regardless of their size or whether they are processing personal data in their capacity as a data controller or a data processor in select circumstances.
Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a data controller or data processor is mandatory:
- The processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions / offenses
Core activities here refer to a controller or processor’s key operational activities. This does not include supporting activities such as payroll or IT support which are ancillary functions.
Organizations take into account a number of factors when determining if their processing is of ‘large scale’. These include:
a) the number of data subjects concerned;
b) the volume of data or range of data items;
c) the duration of the processing; and
d) the geographical extent of the process.
Regular and systematic monitoring includes all forms of tracking and profiling on the internet. It is, however, not restricted to the online environment and could also include offline activity. ‘Regular’ monitoring will mean ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times or constantly or periodically taking place. ‘Systematic’ monitoring refers to monitoring that happens according to a system, pre-arranged, organized or methodical, taking place as part of a general plan for data collection, or carried out as part of a strategy.
It is also important to note that if an organization does not meet the requirements in the GDPR, but instead voluntarily decides to appoint a DPO, then the same requirements that apply to mandatory DPOs will still apply. If an organization decides not to appoint a DPO, it is advised to document those reasons clearly.
Qualifications of a Data Protection Officer
While the GDPR does not specify their precise credentials, a data protection officer is expected to have enough professional experience and knowledge of data protection law. This expertise should be proportionate to the type of processing the organization carries out and the level of protection the personal data requires.
Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.
What Are the 7 Principles of the General Data Protection Regulation (GDPR)?
The way organizations collect, store, and use personal data is governed by the rules and regulations of the GDPR. The guidelines stipulated by the GDPR include:
1. Lawfulness, fairness, and transparency
Full transparency with regard to the disclosure of how data is used is compulsory for all organizations in the UK. Should a data subject request more information about how their data is stored, used, and distributed it has to be disclosed to them within a specified time frame as stipulated by the GDPR.
2. Purpose limitation
Organizations must state the reasons they are using the data subject's information for and it can only be used, stored, and processed for this purpose and this purpose only, unless of course otherwise stipulated and agreed to by the data subject. This is not however as strictly applied to information gathered for the purpose of scientific, statistical, or historical uses.
3. Data minimization
As the name suggests, only data that is required for the purposes for which it was collected should be used. In other words, data collected should not just be stored for a ‘just in case’ scenario. It should be used as and when it is needed according to the organization's requirements. Any additional information that is kept over and above this is considered unlawful.
Accuracy of information is paramount to comply with the regulations as stipulated by the GDPR. Data subjects also hold the right to request that incorrect information be deleted within 30 days if their information is incorrect, incomplete, or outdated.
5. Storage limitation
Data should only be stored for as long as the information is needed by the organization for the purpose it was intended to be used. There should be a framework in place for review purposes to ensure that outdated information is purged from the system. This is not applicable to data that is stored for historical or statistical purposes.
6. Integrity and Confidentiality
Organizations must ensure that the data subjects’ personal information is protected at all times. This gives credence to the organization’s ability to handle personal data with integrity, and it gives the data subjects’ peace of mind that their personal information won't be exposed online or interfered with by hackers who use malware and phishing methods to obtain data illegally.
Accountability precedes transparency. This means that organizations must be able to show that they have taken the necessary steps and followed the guidelines as stipulated by the GDPR to make sure that they exhibit the principle of transparency.
Some of these data handling guidelines include implementing and evaluating the guidelines of the GDPR, appointing a supervisor in charge of data protection, as well as ensuring that the required consent is obtained at all times for data processing purposes.
Some Common Questions About Data Handling
Is Google a Data Controller?
Google controls data and is not a data processor which means that data doesn't necessarily need to be stored and can be erased at any time subject to the agreements that Google has with its third-party publishers. An organization is therefore implicitly bound by these guidelines, if they are the third party that collects and stores information.
What is the role of the processor?
The processor assimilates and compiles collected data and processes this data under the guidance and authority of the data controller with the end goal of obtaining clarity as to how the company is performing.
What is the difference between a data controller and processor?
The data processor falls under the data controller and is usually a third party who is acquired to process the data on behalf of the data controller who controls what the information is used for.
What is the role of the data controller?
The data controller, in essence, oversees how data is used, controls and oversees the duties of the data processor, and ensures that data is used, stored, and processed in accordance with the guidelines of the GDPR.
They also oversee the process from obtaining data consent to enabling the usage of data for the required purposes. They determine how the data is to be used and what specific data is needed to fulfill the purpose and objectives of the organization.
A data controller will control how data is collected from data subjects, they will ensure that the required consent is obtained from the users, and they will appoint a Data Protection Officer to make sure that all information remains confidential as governed by the GDPR.
Who can be a data controller GDPR?
The data controller can be any natural person, organization, or other authorized body that is responsible for how the data is controlled; they determine what the data is used for and is the person (usually the manager or owner of the website) that the data processor reports to.
How long can a company keep my data?
The length of time that data can be held by an organization is determined by the data subject. They can request for complete erasure of their data at any time, and the organization must comply.
The place of the data controller
There is a hierarchy and a place that the data controller falls into which on first appearance may appear to be at the top of the tier. Ordinarily and in a perfect world, you would have the data controllers at the top of the hierarchy as a prominent role under the European Data Protection Board, under that, will be the supervisory authorities that fall under the Data Protection Authorities, and beneath that the data processors.
However, categorizing the placement of a data controller is not so straightforward as the position of the data controller has many hats as they can also (if need be) also process data. On the other hand, the top of the hierarchical structure could and should actually belong to the data subjects as their rights and the protection thereof is what is of utmost importance to the GDPR.
The GDPR will affect organizations in many ways, beyond data security and policies. Businesses that will be impacted must seek help or legal counsel if required. At the very least, they need a clear plan of action that includes training on GDPR, revisiting their data flow and processing mechanisms, previewing their privacy practices and policies, the way they leverage third-party data and more. To get started on becoming GDPR-ready, we invite you to download our “12-Point Checklist to Help Prepare Your Organisation for GDPR” by clicking here.