The General Data Protection Regulation (GDPR) is applicable to various organizations since May 25th, 2018. Now being GDPR-compliant is the primary goal of every single organization. Whilst, ensuring compliance with the GDPR, the 2 most common type of roles are “data controller” and “data processor”.
Since these roles have certain responsibilities under the GDPR. However, the Data Protection Act 1998 (the DPA) which provide particular rights to individuals regarding their personal information, distinguishes between the data controller and data processor more explicitly.
According to it, it is unlikely that every organisation processing personal data will have the same responsibility. But the data controller must curb the processing and also carry data protection responsibility. This distinction is one of the key features of Directive 94/46/EC, on which the UK’s DPA is based.
“However, section 1 of the GDPR differentiates between the data controller vs data processor by stating that data controllers are the ones accountable for the purpose and manner of processing personal data. Data Subject Access Requests (DSAR) is one of the key rights conferred upon data subjects under the General Data Protection Regulation (GDPR). It forms part of a group of data subject rights.”
On the contrary, the data processor is a substitute for a data controller, which processes personal data on behalf of a data processor. Accumulating, recording, handling information, carrying out any operation or set of operations on the data is known as processing.
The proposition mentioned above is the elaboration of ‘processing’ which defines the data processor’s activities, that it must be limited to the more ‘technical’ aspects of an operation namely data storage, retrieval or erasure.
“The data controller is entrusted with the liability to carry out these activities which are the interpretation, the exercise of professional judgment or significant decision-making pertaining to personal data.”
By following the law of processing, an organisation must legitimately process personal data and retain data controller responsibility to process it.
That particular organisation must not forego its responsibility or hand it over to another data controller or data processor.
The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category:
The importance of distinguishing between data controllers and data processors
As a matter of fact, the differentiation of data controller and data processor can lead to some significant real-world consequences. In case of a data breach, it is imperative for organisations to involve the ICO.
“The ICO will identify the privacy gaps and determine the accountability behind such an act. Many organisations process personal data. So, they must establish their roles and responsibilities prior to commencing the processing.”
All the above measures are compulsory to abolish any data privacy gaps. Consequently, these gaps will let subject requests go unanswered. Organisations must undertake GDPR audit on a regular basis to identify and address any privacy gaps and effectively respond to any DSAR requests.
Identify that either an organisation is a data controller or data processor
The data controller defines the purposes and manner in which personal data is processed. This activity can happen on its own, jointly or in common with the rest of the organisation.
The above statement intensifies the flexibility of a data controller. As an organisation can permit one data controller primarily to control the processing purpose in conjunction with another data controller. It also works paradoxically, this means that one data controller could mainly focus on directing the processing and let another data controller take charge of defining the purpose of the processing.
Difference between a data controller vs data processor
The data controller decides on the purpose and system tools of processing personal data, in contrast to the data processor, who puts in place the action plan, tools and purpose in motion. The data processor processes data on behalf of the data controller. There may be more than one data controller, but usually, there is just one. Whilst, there may be more than one data processor in an organisation. The data controller regulates the activities and plans. Whereas the data processor implements the action plan.
Thus, the data controller oversees the ‘why’ and the ‘how’ of a data processing activity. Whereas, the data processor is in charge of implementing the various tools.
“The data processor does not hold any control over the processing procedure and decision-making in an individual capacity. The responsibility for these activities lies with the data controller who needs to comply with relevant laws and perform all activities safely.”
Some organisations both process and control data, such as Facebook and Google. This means that they have to ensure safety and compliance in both of these departments, and thus they may have special teams of data processors and data controllers for each area.
Compliance with the data protection principles and rules for data controllers
If one data controller transfers the personal data to another data controller then both have equal answerability for this data.
Furthermore, if the data sharing is systemic, large-scale or particularly risky, in this case, both data controllers ought to sign a data-sharing agreement. The agreement covers aspects such as how the data can be used and can it be further disclosed.
The agreement will manifest the duties of all the data controllers explicitly. Each controller will deal with a specific aspect of compliance.
In the case of non-compliance, the ICO will probe and take action against the data controller, who will stand accused of not meeting the required data protection obligations. Below are the cases in which a data controller may be caught for failing to meet data protection obligations:
- Unreasonable allocation of responsibility
- One of the data controllers caught for non-compliance
- When one data controller receives the subject access request but fails to transfer it to the data controller responsible for handling requests.
Regulations amid data controllers and data processors
There should be a written contract, in which a data controller issues contractual instructions to the data processor regarding the key responsibilities and obligations for data protection.
Transfers of personal data to data processors overseas
The data processing agreement (DPA) places restrictions for transferring personal data outside the European Economic Area (EEA). To put it differently, a data controller must ensure that the transfer of personal data overseas is adequately protected.
Data processors who take on data controller responsibilities
If a data processor is directly served with a warrant which requires him/ her to provide particular personal data to a law enforcement agency, then he/ she will need to perform this responsibility as an act of duty.
By acting as a data controller, he/ she will decide how to comply with the request, which data to provide or withhold and what format to supply it in.
Data processors who are also data controllers
Usually, the data processor has its own data controller responsibilities regarding personal data which he/ she does not process on behalf of their data controller client.
As an organisation will become GDPR compliant, so the roles and responsibilities of both the data controller and data processor will multiply. A key to compliance is to recognise the difference between these two key roles and how an organisation must facilitate the effective performance of the key responsibilities under both these roles. Organisations must conduct regular GDPR audit to ensure they identify the key risks and take action to mitigate these risks to ensure compliance with GDPR and other data privacy regulations.