The General Data Protection Regulation (GDPR) has been imposed on various organizations since on May 25th, 2018. Now being GDPR-compliant is the primary goal of every single organization. While complying with GDPR the most common terms to acknowledge are “data controller” and “data processor” because they have certain responsibilities under GDPR. However, the Data Protection Act 1998 (the DPA) which provide particular rights to individuals regarding their personal information, distinguishes between the Data controller and Data Processor more explicitly. According to it, it is unlikely that every organisation, processing personal data have the same responsibility. But the data controller must curb the processing and also carry data protection responsibility. This distinction is also a feature of Directive 94/46/EC, on which the UK’s DPA is based.
However, section 1 differentiates between the data controller vs data processor gdpr by stating, data controllers are the ones accountable for the purpose and manner of processing personal data. On the contrary, the data processor is a substitute for a data controller, which processes personal data on behalf of a data processor. Accumulating, recording, handling information, carrying out any operation or set of operations on the data is known as processing.
The proposition mentioned above is the elaboration of ‘processing’ which suggests about data processor’s activities, that it must be limited to the more ‘technical’ aspects of an operation namely data storage, retrieval or erasure. The data controller is entrusted with the liability to carry out these activities which are interpretation, the exercise of professional judgment or significant decision-making pertaining to personal data. By following the law of processing, an organisation must legitimately process personal data and retain data controller responsibility to process it. That particular organisation mustn’t back off from its liability and hand over it to another data controller or data processor.
As a matter of fact, the differentiation of data controller and data processor can lead to some significant real-world consequences. For instance, in case of a data breach, it is imperative for organisations to involve and let the ICO identify the lacking and who stand accountable for such an act. The organisations, especially those who are involved in data processing activities, that they must establish their roles and responsibilities prior to commencing the processing. All these strides are compulsory to abolish the gap. Consequently, these gaps will let subject requests go unanswered.
The data controller finds out the purposes and manner in which personal data is processed. It can be done by on its own, jointly or in common with the rest of the organisations. This reflects that the, it curbs why and how data processing activity is being conducted. The above statement intensifies the flexibility of a data controller. As in, it can permit one data controller primarily to control the processing purpose with another data controller. It also works paradoxically, means working mainly to direct the processing and letting another data controller to take part in purpose.
If one data controller transfers the personal data to another data controller, both of them have equal answerability concerning the protection of that data. Furthermore, if the sharing is systemic, large-scale or particularly risky, in this case, both data controllers ought to sign a data sharing agreement. The agreement covers aspects such as how the data can be used and can it be further disclosed.
The agreement will manifest the duties of all the data controllers explicitly. Each controller will deal with a specific aspect of compliance. In the case of jeopardy, ICO will probe and take action against the data controller, who will stand accused and flunked in data protection obligations. Below are the consequences in which a data controller may be caught for failing the obligations.
There should be a written contract, in which controller issues contractual instructions to the processor regarding dos and don’ts.
The DPA puts restrictions for transferring the personal data outskirts the European Economic Area. To put it differently, a data controller must ensure the transfer of the personal data overseas is adequately protected.
If a data processor is directly served with a warrant which requires it to provide particular personal data to a law implementation agency, then it will take on its own data controller duty. By acting as a data controller, it will decide how to comply with the request, which data to provide or withhold and what format to supply it in.
Usually, the data processor has its own data controller culpabilities regarding personal data which is not being processed on behalf of its data controller client.
As an organisation will become GDPR compliant, so the roles and responsibility of data controller and data processor will multiply. A key to compliance is to recognise the difference amid these two and how a company plays its role. For easy and fast compliance, Seers presents you a “Free GDPR Audit’, which will benefit you by diminishing compliance issues and protects your data from cybercriminals.