Under the EU's General Data Protection Regulation (GDPR), any company that processes personal data within the EU is classed as either a data controller, a data processor, or both. What are the key procedures for controllers and processors?
A data controller is like the data boss. It calls the shots when it comes to how the personal data in its possession is processed. It decides things such as who can access the data, how long it is kept for, and how the owner of the personal data can request its deletion.
A data processor is like the data controller's employee. It processes on the data controller's behalf. It does as it's asked. But that doesn't mean it's not accountable - it also has a lot of important responsibilities.
Let's see how the GDPR itself defines a data controller, at Article 4 (7):
"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law"
In other words, a data controller is a person or organization that has some control over how some personal data is processed.
So, what procedures does a data controller actually have to carry out?
Broadly speaking, there are two (big!) tasks:
- Understand the principles of GDPR.
- Implement and be accountable for those principles.
First, we'll take a look at the principles that data controllers must understand. Then we'll set out some practical steps that data controllers should take to implement these principles.
A fundamentally important job for a data controller is to understand the GDPR and their role within it.
As the boss of all the personal data they are processing, the buck stops with the data controller. They must be able to demonstrate that any data they process is treated in a way that is compliant with the GDPR.
Without a thorough knowledge of GDPR principles and an understanding of how these principles apply to their specific situation, this will not be possible.
A data controller needs to know the principles of Article 5 of the GDPR. Under these principles, a data controller must:
- Process personal data in a lawful, fair and transparent way.
- Only process personal data for a limited and specific purpose.
- Only process the personal data that is necessary for their purposes.
- Ensure that personal data they are processing is accurate and up-to-date.
- Store personal data only for as long as is necessary.
- Keep personal data safe and confidential.
- Be accountable for how they process personal data.
That last one requires a bit of work. For a data controller to be accountable, they need to be able to demonstrate how they are complying with all of the principles of GDPR.
Here are a few specific things that data controllers need to do for GDPR compliance.
Identify a Lawful Basis
The GDPR sets out six lawful bases for processing personal data. You can only process data in the EU on one or more of these bases. The data controller needs to identify which lawful basis they are using.
Firstly, it's worth setting out what processing actually means in the context of the GDPR (spoiler alert: it's everything).
Take a look at these examples provided at GDPR Article 4 (2) itself:
"collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"
You might be struggling to think of something that you could do with someone's personal data that doesn't qualify as 'processing' it. Well, effectively, there's nothing. It's all processing.
The GDPR is all about bringing privacy and control into the hands of individuals in the EU. If you're going to collect and store an EU citizen's personal data, you'd better have a good reason for doing it.
A data controller can think of the six lawful bases as their justification for processing a person's personal data. If someone asks "why are you processing my data in this way?" you will be able to point to this legal justification.
The lawful bases are:
- Consent - the person has freely permitted you to process their data. For example, they signed up to receive your newsletter.
- Contract - you have a contract with this person, and you need to process their data to carry it out. For example, they asked you for a health insurance quote, and so you need to get their medical history.
- Legal obligation - the law requires you to process the person's data in a particular way. For example, you need to provide information about a person's salary to the tax authorities.
- Vital interests - you need to process this person's data to protect them from injury or harm. For example, they have a car accident, and you need to provide their medical history to the hospital.
- Public task - you're a public authority, or you're carrying out public duties. For example, you need to store someone's address to provide their household with water.
- Legitimate interest - you are processing a person's data to protect your company's interests. For example, you need to retain records of legal advice given to a person, in case they sue you.
- Why you are processing their data.
- How you are processing it.
- The rights they have under the GDPR.
Appoint a Data Protection Officer
The data controller must consider whether they need to appoint a Data Protection Officer.
The GDPR gives three reasons that a data controller might need to appoint a Data Protection Officer.
These reasons are a little vague, but for clarification we can call upon the help of the Article 29 Working Party. Their guidance on Data Protection Officers is quite old, but has been endorsed as relevant to GDPR.
The data controller must appoint a Data Protection Officer if:
- They are a public authority or body. This could be a government body, a local authority, or a body delivering a public service which is financed mostly by the state.
- Their core data processing activities involve regular and systematic monitoring of data subjects on a large scale. Monitoring of data subjects includes: credit scoring, recording on CCTV, location tracking. A large scale operation might be a hospital processing patient data, or a city-wide bus company tracking travel data.
- They process large amounts of special category data, or data relating to criminal convictions. Special category data is defined at GDPR Art. 9 (1). It is data that reveals information about a person's: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, biometry or health.
Conduct a Data Protection Impact Assessment
A data controller should consider conducting a Data Protection Impact Assessment. This is required wherever a data controller is processing data in a 'high risk' way. Some examples include:
- Using new technology to process data
- Processing biometric data
- Large-scale profiling of individuals
- Processing special category data on a large scale
A Data Protection Impact Assessment must demonstrate the following:
- The reason you are processing this sort of data.
- The scale on which you are doing so.
- Why it is necessary.
- What risks you have identified, and how you are mitigating these.
Help Individuals Exercise Their Data Rights
One major purpose of the GDPR is to allow individuals control over their personal data.
The GDPR sets out specific rights that an individual has over their data at GDPR Chapter 3.
This includes the right to:
- Be informed about any of their personal data that the data controller is processing.
- Access this data.
- Request that incorrect information is rectified.
- Request that data is erased (sometimes known as the 'right to be forgotten').
- Request restrictions on the way their data is processed.
- Move their data across different services.
- Object to the processing of their data.
- Request that certain automated processes are carried out manually.
The data controller needs to help the individual exercise these rights.
This means that if the individual asks the data controller to provide a copy of their personal data, or for some of their personal data to be erased, the data controller needs to do this.
If it is not possible, the data controller must provide a justification for not doing it.
Individuals should receive a response to their request within one calendar month.
Appoint and Manage Appropriate Data Processors
Whilst data processors are themselves accountable under the GDPR, it is still the responsibility of the data controller to appoint a data processor which is compliant.
There are many factors for a data controller to consider when selecting a data processor, including:
- You need to ensure that their chosen data processor will process data in a secure way.
- A data processor can be based outside of the EU. However, in this case, you will need to consider whether you have the lawful authority to transfer data overseas.
Remember that the data controller is the boss. They are trusting the data processor to look after personal data on their behalf. They need to be very clear about the data processor's role and have systems in place to deal with any security breaches.
The definition of a data processor, given at GDPR Art. 4 (8), is a little less wordy than that for the data controller. It's defined as:
"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
If the data controller is an online shop, the data processor might be an email marketing company that sends promotional material. Or, it might be a payments company that manages online purchases.
When it comes to data processors, the big change that arrives with the GDPR is that they are now directly accountable under the law. This means they can be prosecuted and fined if they breach the GDPR, just like a data controller.
The data processor, much like the data controller, must understand the principles of the GDPR. It cannot lawfully process data on behalf of the data controller without complying with the GDPR.
Appoint a Data Protection Officer
When it comes to deciding whether to appoint a Data Protection Officer, the same conditions and procedures apply to data processors as controllers.
Fulfill Contractual Obligations
A data processor must have a contract with their data controller. This is the basis for all processes that they carry out on their controller's behalf.
This contract will contain specific provisions which ensure that the data processor is GDPR compliant. Therefore, it is crucial that the data processor adheres to it.
The data processor may bring in other processors, however Art. 28 (2) is clear that they require written permission from the data controller in order to do this. Any other processors must also be fully GDPR compliant.
Assist the Controller in Helping Individuals Exercise Their Data Rights
The data processor will sometimes need to assist the data controller in facilitating requests made by individuals.
For example, if an individual exercises their right of deletion, the data processor must delete any copy of an individual's personal data that they hold.
Both data controllers and processors must:
- Understand and be accountable for the principles of the GDPR.
- Implement those principles in a lawful way.
- Consider appointing a Data Protection Officer.
- Co-operate with supervisory authorities.
Data controllers must:
- Establish their legal basis for processing data.
- Consider conducting a Data Protection Impact Assessment.
- Help individuals exercise their data rights.
- Select and manage GDPR-compliant data processors.
Data processors must:
- Ensure they fulfil their contractual obligations to the data controller.
- Only bring in other data processors if they have written permission from the data controller, and the other data processors are GDPR-compliant.
- Assist the data controller in helping individuals exercise their data rights.