Article 4 of the General Data Protection Regulation GDPR has outlined the roles of a “data controller” and “data processors”.
Data Controller: “a natural or legal person, public authority, agency, or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.”
Data processor: “A person who processes personal data on behalf of the controller.”
For example, A website collects personal data (any type) from visitors and customers for marketing and sales purposes. Then, the collected data is sent to Marketing and Promotions, for email marketing, SEO and social media campaigns.
If you are providing the data and its instructions, then Marketing and Promotions Ltd is a data processor, and you are the data controller. But, if you give the data and leave Marketing and Promotions Ltd to process, then you are both data controllers, and Marketing and Promotions Ltd is also the processor.
Data controllers and processors, under GDPR, have quite similar duties and must adhere to the same principles.
The formal definition of a processor is mentioned in GDPR’s Article 4. It says,
“Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
The data processors help controllers in many consequences such as, in a potential personal data breach notification and Data Protection Impact Assessment. The record of all the processing activities must be kept by data processors, which is carried on behalf of the controller, as required by Article 30 of GDPR.
Because it plays a crucial part in ensuring data privacy, it has been proved many times, that 37% of the data breaches were the result of a human error. It is another effective way to be compliant and dodge GDPR fines.
Despite being an essential aspect under GDPR, staff training is still under-emphasized. Companies are ready to revamp their whole security network and improving their information security and cookie consent laws. But are paying very little attention to the most vulnerable side, in which there are endless possibilities to make a minor mistake. Staff training is a fundamental requirement to ensure compliance with GDPR.
Companies must know how to meet the challenges of GDPR. They must aware their staff with the rules and regulations and use e-Learning methods for training. The cornerstone of the awareness training must be privacy. The focus should be on, personal data protection to show respect towards people’s rights.
The obligations, rights, responsibilities and penalties under GDPR must be focused and taught in-depth to the employees. You must explain to them the importance GDPR places on the protection of personal data. They should know the core principles of privacy by the end of GDPR and how to integrate the behaviours based on those principles in their everyday work routine.
Some companies have well-trained employees for GDPR and often conduct staff training programs. It does not mean continuous or you have to manage a training session for employees every other day. The hiring and firing process is constant for companies. But you must know the best time to fulfil the training requirement in your company.
It should be offered, when you find out there are any knowledge gaps in your workplace, also when you install any new equipment, and lastly when Regulatory bodies alter any of the regulatory framework or provide new guidance.
Your staff must know the basic definitions under GDPR, such as the main responsibilities of Data Processors, what is considered personal data, and what data would be considered highly sensitive. In addition to this, they are required to have a good understanding of the following:
1) Data transfer and disclosure: Keep an eye on personal data transfer.
2) Data Protection Impact Assessments (DPIAs): DPIAs for organizations involved in high-risk processing.
3) Legitimate Interests Assessments (LIAs): LIAs is just a best practice developed mainly by privacy specialists.
4) Data Protection Officers: The GDPR will require some organizations to designate a Data Protection Officer (DPO).
5) Processing Children’s Data: from underage subjects, you must ensure that you have adequate systems.