Summary: Data controller vs. Data processor: who is impacted and when does an organization need to hire a Data Protection Officer? Read more here.
Editor’s Note: This post was originally published in March 2018 and has been updated with additional content on September 2022.
The buzz about the European Union’s upcoming General Data Protection Regulation (GDPR) is gathering steam as the date of enforcement, i.e., May 25th, 2018, draws close. One of the much-discussed elements of this law is the new guidelines it has laid down for data controllers and processors. While the GDPR retains some of the obligations that the Data Protection Directive places on both parties, it has introduced some new ones too. In this blog, we will discuss the data processor and controller responsibilities that the GDPR has conferred on each, and provide insights into how an organization, whether it is a controller or a processor, can start preparing itself to be GDPR-ready.
In today’s digital world, data collection and storage is more of a norm than an exception. Businesses may collect individual data for advertising, marketing, analytical, or research purposes. Each time a business collects and processes an individual’s personal data, it does so as a ‘controller’ or a ‘processor.’ In Chapter 1, Article 4 of the GDPR, the two are defined as below:
‘Controller’ is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If an organization controls and is responsible for the personal data that it holds, it is a data controller. If, on the other hand, it holds the personal data, but some other organization decides and is responsible for what happens to the data, then it is a data processor
The answer to this is both. Under the outgoing Data Protection Directive 95/46/EC, only controllers are liable for data protection noncompliance. However, the EU General Data Protection Regulation (GDPR) will strike a balance by allotting direct obligations to data processors as well.
According to Article 83, in the case of non-compliance, fines can be applied to both controllers and processors. These fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”
This represents a significant change and will dramatically increase the risk profile for entities like cloud and data center providers that act as data processors. However, the impact will also be felt by controllers who engage their services as the increased cost of compliance may lead to a consequent increase in the cost of the processors’ services. Controllers will also have to be extra vigilant about the processors they engage with and ensure that they have the technical and operational measures required to be GDPR-compliant.
Now that we have established that the controller and processor will share data protection obligations, let’s delve deeper into their responsibilities.
The data controller is the principal party for data collection responsibilities. These controller responsibilities include collecting individuals’ consent, storing the data, managing consent-revoking, enabling the right to access, etc. In addition, it has to possess the ability to demonstrate compliance with the principles relating to the processing of personal data. These principles are listed in the GDPR as “lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
The GDPR provides additional detail on how organizations can demonstrate that their processing activities are lawful.
If an individual revokes consent, the controller will be responsible for initiating this request. Therefore, on receipt of this request, it will be required to ask the processor to remove the revoked data from their servers.
If several organizations share the controller responsibilities for the processing of personal data, the EU GDPR includes the existence of joint controllers. The joint controller is expected to determine their respective controller responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact. Therefore, the GDPR makes joint controllers fully liable.
The outgoing Directive exempts controllers from liability for harm arising in cases of force majeure or unforeseeable circumstances that prevent them from fulfilling their contractual agreement. However, the GDPR contains no such exemption, meaning controllers may bear the risk in force majeure cases.
The controller will have to record all data breaches. In addition, they must disclose any data breaches to GDPR-enforcing authorities on demand. Since the 72-hour deadline for reporting data breaches is likely to prove extremely challenging for the data controller, experts advise organizations to appoint a person to take responsibility for reviewing and reporting data breaches and implement clear data breach reporting policies and procedures, as required.
The controller is expected to work only with processors with the appropriate technical and organizational measures to comply with GDPR guidelines. In other words, data controllers, i.e., customers of GDPR data processors, shall only choose processors that comply with the GDPR or risk penalties themselves.
As supervisory authorities enforce penalties on controllers for lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure controllers who wish to avail their services. They may also need to take steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing. However, processors outside the EU may likely resist the imposition of these new obligations, potentially making it harder for controllers to appoint their desired processors lawfully, resulting in a more complex negotiation of outsourcing agreements.
The processor is forbidden from using personal data it is entrusted with for purposes other than the ones outlined by the data controller. Upon request, the processor has to delete or return all personal data to the controller at the end of the service contract.
It can transfer personal data to a third country only after it receives legal authorization.
It has to obtain written permission from the controller before engaging a subcontractor and assume full liability for failures of subcontractors to meet the GDPR.
The processor has to enable and contribute to compliance audits conducted by the controller or a controller representative.
If there is a data breach, the processor is expected to notify the data controllers without undue delay
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria:
Processors will also need to review existing data processing agreements to ensure they have met their compliance obligations under the GDPR.
The concept of a ‘Data Protection Officer’ (DPO) for organizations processing personal data has been a mandatory requirement in some countries and best practice in others. However, the GDPR will make the appointment of a DPO compulsory for organizations regardless of their size or whether they are processing personal data in their capacity as a data controller or a data processor in select circumstances.
Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a data controller or data processor is mandatory:
Core activities here refer to a controller or processor’s key operational activities. This does not include supporting activities such as payroll or IT support which are ancillary functions.
Organizations take into account several factors when determining if their processing is of a ‘large scale.’ These include:
a) the number of data subjects concerned;
b) the volume of data or range of data items;
c) the duration of the processing; and
d) the geographical extent of the process.
Regular and systematic monitoring includes all forms of tracking and profiling on the internet. It is, however, not restricted to the online environment and could also have offline activity. ‘Regular’ monitoring will mean ongoing or occurring at particular intervals for a specific period; recurring or repeated at fixed times, or constantly or periodically taking place. ‘Systematic’ monitoring refers to monitoring that happens according to a system, pre-arranged, organized or methodical, taking place as part of a general plan for data collection, or carried out as part of a strategy.
It is also important to note that if an organization does not meet the requirements in the GDPR but instead voluntarily decides to appoint a DPO, then the same requirements that apply to mandatory DPOs will still apply. Therefore, if an organization chooses not to appoint a DPO, it is advised to document those reasons.
While the GDPR does not specify their precise credentials, a data protection officer is expected to have enough professional experience and knowledge of data protection law. This expertise should be proportionate to the type of processing the organization carries out and the level of protection the personal data requires.
Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.
What Are the 7 Principles of the General Data Protection Regulation (GDPR)?
The way organizations collect, store, and use personal data is governed by the rules and regulations of the GDPR. The guidelines stipulated by the GDPR include:
Full transparency about the disclosure of how data is used is compulsory for all organizations in the UK. Should a data subject request more information about how their data is stored, used, and distributed, it has to be disclosed to them within a specified time frame as stipulated by the GDPR.
Organizations must state the reasons they are using the data subject’s information. It can only be used, stored, and processed for this purpose and this purpose unless otherwise stipulated and agreed to by the data subject. This is not, however, strictly applied to information gathered for the purpose of scientific, statistical, or historical uses.
As the name suggests, only data that is required for the purposes for which it was collected should be used. In other words, data collected should not just be stored for a ‘just in case’ scenario. It should be used as and when it is needed according to the organization’s requirements. Any additional information that is kept over and above this is considered unlawful.
Accuracy of information is paramount to complying with the regulations as stipulated by the GDPR. Data subjects also hold the right to request that incorrect information be deleted within 30 days if their information is incorrect, incomplete, or outdated.
Data should only be stored for as long as the information is needed by the organization for its intended use. There should be a framework in place for review purposes to ensure that outdated information is purged from the system. This does not apply to data stored for historical or statistical purposes.
Organizations must ensure that the data subject’s personal information is always protected. This gives credence to the organization’s ability to handle personal data with integrity. It provides the data subjects peace of mind that their personal information won’t be exposed online or interfered with by hackers who use malware and phishing methods to obtain data illegally.
Accountability precedes transparency. This means that organizations must show that they have taken the necessary steps and followed the guidelines stipulated by the GDPR to ensure that they exhibit the principle of transparency.
Some of these data handling guidelines include implementing and evaluating the guidelines of the GDPR, appointing a supervisor in charge of data protection, and ensuring that the required consent is obtained at all times for data processing purposes.
Google controls data and is not a data processor, which means that data doesn’t necessarily need to be stored and can be erased at any time, subject to the agreements that Google has with its third-party publishers. An organization is therefore implicitly bound by these guidelines if they are the third party that collects and stores information.
The processor assimilates and compiles collected data and processes this data under the guidance and authority of the data controller with the goal of obtaining clarity on how the company is performing.
The data processor falls under the data controller and is usually a third party acquired to process the data on behalf of the data controller who controls what the information is used for.
The data controller, in essence, oversees how data is used, controls and supervises the duties of the data processor, and ensures that data is used, stored, and processed by the guidelines of the GDPR.
They also oversee the process from obtaining data consent to enabling data usage for the required purposes. In addition, they determine how the data is to be used and what specific data is needed to fulfill the purpose and objectives of the organization.
A data controller will control how data is collected from data subjects, ensuring that the required consent is obtained from the users. In addition, they will appoint a Data Protection Officer to ensure that all information remains confidential as governed by the GDPR.
The data controller can be any natural person, organization, or other authorized body that is responsible for how the data is controlled; they determine what the data is used for and is the person (usually the manager or owner of the website) that the data processor reports to.
The length of time that data can be held by an organization is determined by the data subject. They can request for complete erasure of their data at any time, and the organization must comply.
There is a hierarchy and a place that the data controller falls into, which may appear at the top of the tier on the first appearance. But, ordinarily and in a perfect world, you would have the data controllers at the top of the hierarchy as a prominent role under the European Data Protection Board, under which will be the supervisory authorities that fall under the Data Protection Authorities beneath that the data processors.
However, categorizing the placement of a data controller is not so straightforward as the position of the data controller has many hats as they can also (if need be) process data. On the other hand, the top of the hierarchical structure could and should belong to the data subjects as their rights and protection are of utmost importance to the GDPR.
Where are we now in practical terms concerning the GDPR? There are still key issues being debated surrounding the complexity of the GDPR. Since coming into effect, there have been over 900 GDPR-related fines and cases across the UK alone. The number should give us some valuable insight into the compliance of the law and the issues involved with how the GDPR is being enforced.
According to the research, the fines relating to GDPR were estimated at around $179 million to $1.23 billion for the years between 2020 and 2021. The companies that were affected the most were high-profile and successful data companies. It seems these are the companies that have the most compliance issues. These companies have appealed the fines.
The countries most affected by GDPR compliance issues include Italy, Spain, Luxembourg, and Ireland. Fines range from high-value to low-value fines. Although we are not sure what drives compliance in some countries, a common theme is high-value fines for high-value companies. As we saw from the above data, larger companies will often see larger data breaches and, as a result, have to incur heavier fines.
GDPR regulations are now multinational. The future sees companies being made accountable for their data regardless of their location or headquarters. Complaints are made through a particular country, and any nation that is involved in the complaint is allowed to comment and be part of the appeal. A good example of this would be a company in France that has a data leak in Italy. The complaint will be moved to France regardless of their multinational locations.
There is a need, however, for more research into GDPR’s information security. The focus of GDPR is now on the responsibilities of data collectors and processors, with more information security measures being implemented. Along with these information security measures comes the need for regular testing and evaluation.
Last year, courts in the EU handed down a ruling that affected breaches that occurred by data processors. The Polish Data Protection Authority, which imposed a fine, was overruled by the court due to an illegal data download. The court questioned whether data controllers should be liable for their data processor’s actions. The court stated that even though the controller is responsible for GDPR compliance, personal data breaches are not the controller’s responsibility.
The EU and US also continue to negotiate over the transfer and processing of data between their servers. Even though these servers were originally protected by the US-EU Privacy Shield, they became invalidated by the European Court of Justice sometime in 2020 due to fears by the EU over ineffective US surveillance laws. The European Court of Justice claimed that US servers do not have enough security and policies in place to protect people outside of the US. Until a decision is made, businesses must handle their data breaches in court.
Today, data protection is still a work in progress. It is deemed a long-term process and a project that affects all businesses and the economy.
Today, data protection is still a work in progress. It is deemed a long-term process and a project that affects all businesses and the economy. In the EU, GDPR no longer applies to the UK. If you are outside of the UK, your business must comply with the Data Protection Act 2018. The EU GDPR was incorporated into this law.
Although the law has changed, nothing has been affected concerning data protection rights and obligations that companies must follow. GDPR policies are today used to ensure compliance and understanding of the principles and obligations of data protection.
It is important to take note that the EU GDPR may still apply if you operate in the EEA. You may have to follow the regulations if you offer services to individuals or companies in the EEA. It is best to check with applicable government officials to see which law applies to your business.
Although the GDPR lists the results it expects from companies that comply with good data management, it does not describe the steps companies should take to ensure GDPR compliance. Here are some tips we compiled to help you meet your data protection responsibilities and goals.
The GDPR will affect organizations in many ways, beyond data security and policies. Businesses that will be impacted must seek help or legal counsel if required. At the very least, they need a clear plan of action that includes training on GDPR, revisiting their data flow and processing mechanisms, previewing their privacy practices and policies, the way they leverage third-party data, and more.
To get started on becoming GDPR-ready and data protection, we invite you to download our “12-Point Checklist to Help Prepare Your Organisation for GDPR” by clicking here.
General Data Protection Regulation – GDPR
Guide to the UK General Data Protection Regulation (UK GDPR)
Data Protection Officer – do you need to appoint one?
Chapter 10: Obligations of controllers – Unlocking the EU General Data Protection Regulation
Data Protection and the EU
GDPR: Where are we now? And where are we going?
Rick spent 20 years in the insurance industry in finance, primarily developing reporting platforms for B & C stakeholders. His ability to speak to consumers of data (managers and analysts) and translate their needs to programmers led him to start his own digital marketing agency in 2004 to develop data driven solutions for business owners.
We are committed to protecting your privacy. For more info, please review our Privacy and Cookie Policies. You may unsubscribe at any time.