In the first part of this blog series, I said that the changes GDPR brings about are substantial and broadens the scope of personal privacy laws. One of the big changes the Regulation brings about are responsibilities for data processors and data controllers when they handle the data of data subjects. In this article, I explore the obligations of data controllers and data processors, but first let us try to understand these different roles.
Data subjects: These are individuals. That would be you and me, who the personal data is about. Data subjects are living natural persons (as opposed to legal persons). That distinction between legal persons and natural is significant because it determines whether the specific piece of data is personal data or not. Personal data is data of natural living persons. The regulation does not count as a data subject an individual who has died, or who cannot be identified or distinguished from others. Data subjects are given rights and their personal data should be processed in accordance with the rights of data subjects.
Article 4 of GDPR defines data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or member state law, the controller or the specific criteria for its nomination may be provided for by European Union or member state law.
Primarily, the controller is held liable for data protection. The key aspect here is ‘control’. Even if the data is not under the possession of the organisation, it will, for GDPR purposes, be the data controller if it has control over the data. The data controller is responsible for determining the purposes for which the personal data is being used, and what privacy protection needs to be implemented. It is the controller that collects the personal data and determines the legal basis for doing so. The controller also determines how long to retain the data for.
The controller may appoint processors for various tasks. Data processors are natural or legal persons, public authorities or other agencies and bodies which process personal data on behalf of the controller. For example, the controller may have a third-party IT supplier which determines where the data is stored and what technical controls are implemented. That IT company will be the data processor. Or, the controller may pass some personal data to a marketing agency for targeted email campaigns. That agency is a data processor in so far as the campaign data is concerned.
Other examples of processors would be payroll processing companies, SaaS providers, cloud service providers and even companies that provides services around secure disposal of personal data. In short, any service provider that obtains access to the personal data, controlled by the other organisation is a data processor. The data processor has the responsibility to use its knowledge and expertise to carry out specified activities on behalf of the data controller.
When personal data is processed, an organization will do so either as a data controller or as a data processor. In certain circumstances, it may not be clear who the controller is and who the processors are. Although controllers and processors both have obligations over personal data, they have different responsibilities.
The current Data Protection Act (1998) puts the responsibilities and obligations on the data controller. Data processors are only required to comply with the instructions of the data controller. The controller may choose to enforce a Data Protection Agreement on processors that makes it mandatory for them to comply with the principles of the Data Protection Act.
The GDPR has changed these provisions such that both data controllers and data processors will be jointly and severally responsible for ensuring the protection of personal data. For non-compliance with GDPR requirements, both controllers and processors may be penalised. Consequently, the risks for data processors have significantly gone up. Data processors’ degree of responsibilities and costs of compliance may also go up if, for instance, controllers require processors to acquire security certification or implement additional technical or organisational controls. It is important that the processing of personal data is always handled according to written contracts and subject to appropriate security measures.
Depending on the circumstances, an entity may be a controller in respect of some processing activities and a processor with regards to other processing activities. The key distinction is the extent of freedom the two parties have in determining what the data is used for, and in what way the data is processed. In practice, the data controller will have more control over and possibly ownership of the data.
For example, a marketing agency may receive personal data from a client for running a campaign on behalf of client. But it may then use personal data received from many clients to run analytics to evaluate campaign effectiveness[i]. In this instance, the agency is a processor with regards to the campaign for its clients but the controller with regards to the analytics and evaluation work.
The responsibilities of controllers are laid out in article 24 of the Regulation. These include:
- Implementation of appropriate technical and organisational measures to ensure lawful processing of personal data
- Implement adequate data protection policies
- Conduct a privacy impact assessment where required
- Adhere to codes of conduct drawn up by supervisory authorities in member states (such as the ICO in the UK)
- Consider data protection by design and by default in processing activities
- Demonstrate compliance with the Regulation. Controllers can appoint only those processors that guarantee compliance with the requirements of the GDPR. The processors must also implement appropriate technical and organisational controls.
In addition, processors must adhere to the multiple requirements laid out in Article 28. These include:
- Processing must be governed by a contract or other legal provisions that are binding on the processors
- Adhere to codes of conduct or certification mechanisms to demonstrate compliance
- Not engaging other processors without prior authorisation from the controller
- If other processors are appointed by the first processor, the same data protection obligations will apply as they apply to the first processor
Chamber Train also offers a half day or full daycompliance course in GDPR which through hands on learning will teach you what changes your organisation may need to action to remain compliant. Click HERE for more information.
By Subrahmaniam Krishnan-Harihara, Research & Analytics Manager Greater Manchester Chamber of Commerce
[i] Sharing of data for this purpose requires appropriate from data subjects.