13 February 2020
Under the EU's General Data Protection Regulation (GDPR), any company that processes personal data within the EU is classed as either a data controller, a data processor, or both. What are the key procedures for controllers and processors?
A data controller is like the data boss. It calls the shots when it comes to how the personal data in its possession is processed. It decides things such as who can access the data, how long it is kept for, and how the owner of the personal data can request its deletion.
A data processor is like the data controller's employee. It processes on the data controller's behalf. It does as it's asked. But that doesn't mean it's not accountable - it also has a lot of important responsibilities.
Let's see how the GDPR itself defines a data controller, at Article 4 (7):
"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law"
In other words, a data controller is a person or organization that has some control over how some personal data is processed.
So, what procedures does a data controller actually have to carry out?
Broadly speaking, there are two (big!) tasks:
First, we'll take a look at the principles that data controllers must understand. Then we'll set out some practical steps that data controllers should take to implement these principles.
A fundamentally important job for a data controller is to understand the GDPR and their role within it.
As the boss of all the personal data they are processing, the buck stops with the data controller. They must be able to demonstrate that any data they process is treated in a way that is compliant with the GDPR.
Without a thorough knowledge of GDPR principles and an understanding of how these principles apply to their specific situation, this will not be possible.
That last one requires a bit of work. For a data controller to be accountable, they need to be able to demonstrate how they are complying with all of the principles of GDPR.
Here are a few specific things that data controllers need to do for GDPR compliance.
The GDPR sets out six lawful bases for processing personal data. You can only process data in the EU on one or more of these bases. The data controller needs to identify which lawful basis they are using.
Firstly, it's worth setting out what processing actually means in the context of the GDPR (spoiler alert: it's everything).
Take a look at these examples provided at GDPR Article 4 (2) itself:
"collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"
You might be struggling to think of something that you could do with someone's personal data that doesn't qualify as 'processing' it. Well, effectively, there's nothing. It's all processing.
The GDPR is all about bringing privacy and control into the hands of individuals in the EU. If you're going to collect and store an EU citizen's personal data, you'd better have a good reason for doing it.
A data controller can think of the six lawful bases as their justification for processing a person's personal data. If someone asks "why are you processing my data in this way?" you will be able to point to this legal justification.
The lawful bases are:
The data controller must consider whether they need to appoint a Data Protection Officer.
The GDPR gives three reasons that a data controller might need to appoint a Data Protection Officer.
These reasons are a little vague, but for clarification we can call upon the help of the Article 29 Working Party. Their guidance on Data Protection Officers is quite old, but has been endorsed as relevant to GDPR.
The data controller must appoint a Data Protection Officer if:
A data controller should consider conducting a Data Protection Impact Assessment. This is required wherever a data controller is processing data in a 'high risk' way. Some examples include:
A Data Protection Impact Assessment must demonstrate the following:
One major purpose of the GDPR is to allow individuals control over their personal data.
The GDPR sets out specific rights that an individual has over their data at GDPR Chapter 3.
This includes the right to:
The data controller needs to help the individual exercise these rights.
This means that if the individual asks the data controller to provide a copy of their personal data, or for some of their personal data to be erased, the data controller needs to do this.
If it is not possible, the data controller must provide a justification for not doing it.
Individuals should receive a response to their request within one calendar month.
Whilst data processors are themselves accountable under the GDPR, it is still the responsibility of the data controller to appoint a data processor which is compliant.
There are many factors for a data controller to consider when selecting a data processor, including:
Remember that the data controller is the boss. They are trusting the data processor to look after personal data on their behalf. They need to be very clear about the data processor's role and have systems in place to deal with any security breaches.
The definition of a data processor, given at GDPR Art. 4 (8), is a little less wordy than that for the data controller. It's defined as:
"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
If the data controller is an online shop, the data processor might be an email marketing company that sends promotional material. Or, it might be a payments company that manages online purchases.
When it comes to data processors, the big change that arrives with the GDPR is that they are now directly accountable under the law. This means they can be prosecuted and fined if they breach the GDPR, just like a data controller.
The data processor, much like the data controller, must understand the principles of the GDPR. It cannot lawfully process data on behalf of the data controller without complying with the GDPR.
When it comes to deciding whether to appoint a Data Protection Officer, the same conditions and procedures apply to data processors as controllers.
A data processor must have a contract with their data controller. This is the basis for all processes that they carry out on their controller's behalf.
This contract will contain specific provisions which ensure that the data processor is GDPR compliant. Therefore, it is crucial that the data processor adheres to it.
The data processor may bring in other processors, however Art. 28 (2) is clear that they require written permission from the data controller in order to do this. Any other processors must also be fully GDPR compliant.
The data processor will sometimes need to assist the data controller in facilitating requests made by individuals.
For example, if an individual exercises their right of deletion, the data processor must delete any copy of an individual's personal data that they hold.
Both data controllers and processors must:
Data controllers must:
Data processors must:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.