With the General Data Protection Regulation (GDPR) being enforced on May 25th, 2018, many businesses are now ensuring that they are GDPR-compliant.
If you are working on your GDPR compliance journey, you have probably come across the terms "data controller" and "data processor". Here's what you should know about each type of entity, as well as the key changes and duties under GDPR.
What is the difference between a Data Controller and a Data Processor?
A data controller determines the procedures and purposes for data usage, whereas a data processor processes any data provided by the data controller. A data controller determines the aims and methods of processing personal data. A processor processes particular data on behalf of the regulator. Processing refers to any action (or set) done on personal data.
What is a Data Controller?
A data controller is in charge of the procedures and purposes for which data is used. In GDPR and other privacy legislation, the data controller has the primary responsibility for protecting the privacy and rights of the data subject, such as a website user. In brief, the data regulator will choose how and why data is utilised by the organisation. A data regulator can reuse collected data using its own procedures. In some cases, however, a data controller must collaborate with a third party or an external service in order to work with the data that has been collected.
What is a data processor?
A data processor processes whatever data that the data controller provides. A third-party data processor does not own or control the data it processes. This means that the data processor will be unable to alter the purpose and manner in which the data is used. In the preceding example, the data processor is the third-party company that the data controller selected to use and process the data. Data processors are bound by the instructions issued by the data controller.
An Example of a Data Controller and Data Processor Relationship.
Sterling Company has a website that collects information about the pages its visitors visit. This includes the page from which they entered the site, the pages they viewed next, and how long they spent on each page. Sterling Company is the data controller, which means they decide how all of this information will be used and processed and for what purpose. Sterling Company uses Google Analytics to determine which of their pages are the most popular and which cause users to quit their website. This allows companies to better organise their content by knowing exactly how long each visitor stays on a specific page. Sterling Company not only knows what themes to write about, but they also discover new ones that may be of interest to their customers. It also helps them improve the existing content. Sterling Company must share the data that they collect with Google in order to gain the insights they need from Google Analytics. In this situation, Google Analytics is the data processor.
What Are the Responsibilities of a Data Controller?
A data regulator is responsible for icing that any data reused inside their organisation is biddable with the GDPR, determining whether:
- To acquire personal information from consumers, website visitors, and other targets. They must have the legal right to do so.
- What to collect.
- To alter or amend the data collected.
- Where and how to use the data, as well as its intended purpose.
- Whether to keep the data within or share it with outside parties. They also decide who to share the data with.
- How long the data is stored and when it should be disposed of.
What Are the Responsibilities of a Data Processor?
A data processor is in charge of actually processing the data in accordance with the data controller's precise instructions, which may include:
- Design, build, and execute IT procedures and systems that will allow the data controller to collect personal information.
- Use tools and tactics to collect personal information.
- Implement security measures to protect personal data.
- Store personal information acquired by the data controller.
- Transfer data from the data regulator to another organisation, and vice versa.
What’s Your Role?
A data controller and a data processor have distinct tasks and responsibilities, thus it is critical to understand which function you perform. The separation between some corporations and their outside service providers may not be as evident as in the preceding case. As a result, the GDPR specifies the many tasks and obligations that data controllers and data processors must fulfil. This ensures that you have completed all of your responsibilities. For example, in a data breach, the data controller and data processor will be able to limit their risk exposure if they know which position they play and then ensure that they have done everything expected.
Dual Roles under GDPR
As previously stated, there may be overlaps and grey areas, making it more difficult to determine whether you are the data controller or the data processor. There are other situations in which you can be both the data processor and the data controller. For example, if you store data or perform analytics for another organisation, it is clear that you are a data processor. For example, suppose a data controller shares all of their data with an analytics provider, and the third-party organisation offers a variety of reports. The analytics provider will then determine which of your data is required for the report that you request. In this situation, the analytics company serves as both a data controller and a data processor. The duties and responsibilities of data controllers and data processors will become more significant as organisations attempt to comply with GDPR. Understanding the differences between the two, as well as how the position that your organisation plays in any given scenario affects your duties, is critical to compliance.
These were some of the key differences between a Data Controller and a Data Processor. Contact Praeferre for help with your digital needs.
No comments yet