Both data controllers and data processors have new obligations under the GDPR, but their responsibilities vary. Generally, data controllers have more accountability and liability, but processors will have new responsibilities and new added layers of liability written into their roles.
Are you a controller or a processor? Keep reading to find out what parts of the legislation impact your operations most and how you need to work together with the other party to maintain GDPR compliance.
Definitions of Controller and Processor
The new definitions of what constitutes a data controller and data processor are outlined in Article 4 of the GDPR.
A data controller is: "a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data."
Data processors process personal data on behalf of the controller.
Here's an example:
Your website collects email addresses and other personal data provided by visitors and customers for sales and marketing purposes. All the data collected is then sent on to Marketing and Promotions Ltd. for use in email marketing, SEO, and social media campaigns.
If you provide the data and the instructions, then you are the data controller and Marketing and Promotions Ltd is the data processor.
If you provide the data and leave Marketing and Promotions Ltd to come up with the means of processing, then you are both data controllers and Marketing and Promotions Ltd is also the processor.
Why does it matter who provides the "purposes and means of processing?"
The new GDPR distinguishes between these roles for compliance purposes. The European Commission's guidance holds the data controller to be the principal party responsible for collecting, managing, and providing access to data.
For example, if the data subject exercised the to request her data, the controller would access it from their servers or from the processor they contracted to handle the data.
Differing Roles for Controllers and Processors
The law distinguishes between controllers and processors for accountability. As a result, each receives different assigned roles for compliance.
Let's break down each party's role according to legislative requirements.
Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data.
Data controllers need to establish a legal precedent for collecting the data using one of the six bases for data collection featured in the GDPR.
- What data they collect
- How they store the information
- How they use the information
- Whom they share the data with
- Whether they share the data with third parties
- When and how they delete the data
Any time a data processor becomes involved in collecting data, they become a data controller and all of the above responsibilities apply.
Controllers are obligated to use data processors who follow the legislation.
Moreover, any time a data controller and data processor work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.
Include the following GDPR-mandated information in each contract:
- Nature, purpose, subject, and full timeline of processing plan
- Controller rights and obligations
- Categories of data include
- Categories of data subjects
- Agreement to adhere to instructions
- Confidentiality issues
- Commitment to security and Article 32
- Terms of hiring sub-processors
- Evidence of compliance with Article 28
- Return and erasure of data
The creation of the contract is the responsibility of the data controller. Data processors are obligated by law to follow the instructions provided by the controller.
If the controller fails to outline the required processes and leaves the methods and means up to the processor, then the processor morphs into the controller in the eyes of the law.
Data processors aren't only obligated to uphold the contract. They must also inform the controller if something in the terms infringes on the GDPR or another law.
Codes of Conduct or Certifications
In addition to having a contract, both controllers and processors must agree to a code of conduct or a recognized certification process that specifies how the agreement meets GDPR standards.
Read more about Codes of Conduct in Article 40 and GDPR Certification in Article 42.
The GDPR holds data controllers accountable for the collection, use, and disposal of personal data in most cases.
However, data controllers were already previously liable under both European legislation and national law.
What's new is the added accountability and liability for data processors.
Under the new law, individuals whose data you hold may send queries or complaints to either the data controller or the data processor. Data processors are liable when they work outside of instructions provided to them by the controller or when they violate the terms of the GDPR.
Both the controller and processor must engage in security practices that are compliant with the GDPR. Each party involved in the contract has an obligation to protect data from:
- Unauthorized access (both internal and external)
- Accidental loss
The GDPR outlines the measures in Article 32 and applies them to the controller and processor equally.
Agreed security measures must appear in the contract, but the guidance also requires both parties to go one step further.
In addition to using adequate and appropriate security measures, both the controller and processor must adhere to the approved code of conduct or certification mechanism agreed upon.
The code of conduct is outlined in Article 40(2).
Data Protection Impact Assessments
Controllers must use data protection impact assessments whenever they instruct a processor to carry out a high-risk activity. Each country's Supervisory Authority outlines what it considers to be high-risk activities.
Each impact assessment must feature a minimum of four essential elements:
- Description of the purpose of the process and the process itself
- Assessment of need for processing
- Evaluation of risks
- Measures applied to address and minimize risks
Data protection impact assessments are carried out in conjunction with the Supervisory Authority and the Data Protection Officer if one is appointed.
When should controllers carry out a data protect impact assessment?
Here are a few instances:
- Trying out new technologies
- Carrying out large scale profiling
- Extensive and systematic profiling
- Large scale processing of special category data
- Mixing or matching data from multiple sources
- Processing children's data for marketing purposes
- Processing data that might cause physical harm if breached
Transparency is a crucial goal of the GDPR
Article 5.2 says that data controllers "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject."
Transparency needs to continue throughout the life of the data from collection to deletion.
Processors aren't explicitly mentioned in the text.
Data controllers are now required to keep records when they process sensitive information or are an organization with greater than 250 employees.
These records outline the basis for your data collection and include the details related to:
- Details of the controller
- Processing purposes
- Description of types of data collected
- Categories of data recipients
- Data transfers including data transferred to third countries
- Erasure details
- Overview of data security measures
Data processors must also now keep records. Their records relate to the processes controllers ask them to carry out and include:
- Name and details of processor(s) and controller(s) and Data Protection Officer (if applicable)
- Categories of processing
- Data transfers to third countries or international organizations
- General description of security measures according to Article 32
All records must be both in writing and electronic form and should be ready to present to the Supervisory Authority if requested.
Reporting Data Breaches
Controllers must notify the Supervisory Authority and the data subject whenever a data breach looks as though it will put the rights and freedoms of data subjects at risk. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach.
If a processor finds a security breach, they must notify the relevant controllers impacted by the breach.
Appointing a Data Protection Officer
Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data and meet one or more of the following criteria:
- Are a public body
- Process large scale data requiring regular monitoring
- Hold special categories of data (including criminal conviction or offense data)
If appointed, a DPO's role is to:
- Advise the organization about its role in data protection
- Monitor compliance with relevant legislation
- Help with impact assessments
- Work with relevant Supervisory Authorities
Data controllers and data processors have different obligations under the GDPR, but you'll also find that their roles are complementary in reaching the goals of transparency and accountability.
Data controllers perform much of the regulatory legwork, while processors see a more prescriptive role. However, they both have new liabilities under the law that makes it critical for each to uphold their end of the bargain. Working together promotes compliance and helps both parties avoid the new, hefty fines that come with violating the rules.