What is the difference between ‘data controller’ and ‘data processor’?

It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are subject to such obligations, however, what is not so clear is the difference between the role of ‘data controller’ and that of ‘data processor’. Generally, it is the data controller that must exercise control over the processing and carry data protection responsibility for it. They determine the purpose for which data is processed and it is the data processor that processes data on behalf of the data controller.

It is becoming more and more obvious that organisations are facing difficulty in determining whether they or the organisations they are working with have data protection responsibility and, with the GDPR enforcement date approaching on 25 May 2018, it is important for organisations to understand their role as mixing up the two can have detrimental consequences, especially where there is a data breach.

Which is which?

To determine whether you are a data controller, you need to ascertain whether you make decisions as to: 

  • collection of the personal data and the legal basis for doing so;
  • which items of personal data are collected;
  • the purpose that the data will be used;
  • whether to disclose the data, and who to;
  • whether subject access and other individuals’ rights apply; and
  • how long to retain the data.

These decisions can only be made by a data controller.
It is for the data processor to decide the following:  

  • what IT systems or other methods will be used to collect personal data;
  • how to store the personal data;
  • the detail of the security needed;
  • how to transfer the personal data to other organisations;
  • how to ensure retention policies are adhered to; and
  • how to delete the data. 

Although these lists are not exhaustive, they highlight the fact that control, rather than possession, of personal data is the determining factor; a data processor decides how to carry out certain activities on the data controller’s behalf. It is therefore essential to determine the degree of independence that each party has in determining how and in what manner the data is processed.

Will the GDPR change things?

When the new legislation comes into force in 2018, it will impose many more obligations on data processors, for example: 

  • being directly responsible for implementing appropriate security measures;
  • maintaining a record of all processing operations under their responsibility;
  • needing to appoint a Data Protection Officer if needs be;
  • needing to inform the data controller immediately of any data breach; 

This will represent a significant change for data processors, who (under the current regime) can avoid direct liability under the law.

What is the impact for organisations?

The GDPR presents a more even balance between the responsibilities placed on data controllers and data processors. However, this will considerably increase the risks for organisations that act as data processors in terms of liability and responsibility.

Given the heavy fines that organisations can face for GDPR breaches, data processors will need to familiarise themselves with the new rules. It is likely that more focus will be placed on negotiating data processing agreements and detailed analysis carried in order to establish whether you need a Data Protection Officer.

It is therefore advisable that organisations establish their roles of either data processor or data controller before processing commences to ensure there is no confusion in knowing who is responsible for what.

Some processors may find it useful to review their existing data processing agreements, to ensure that they have met their own compliance obligations and to guarantee that they are GDPR ready when the time comes.

CONTACT EMMA

If you would like more information or advice relating to this article or a Employment law matter, please do not hesitate to contact Emma Gross on 01727 798049.

Want to know more?

Click here to view SA Law's dedicated GDPR hub page for more practical information, views and insight from our expert teams. 

Read our latest views & insight about the GDPR
Stained glass window
Views & Insight
ICO publishes final version of guidance on consent

Head of employment at SA Law St Albans, Chris Cook, discusses the ICO's guidance on consent

Read More
Stained glass window
Views & Insight
Employers feel unprepared for GDPR deadline

Senior Associate Keely Rushmore comments in People Management on the GDPR and how companies weren't ready for the changes

Read More
Divorce and family law red chair
Views & Insight
EU data is slowing the divorce process

Head of family law at SA Law, Marilyn Bell examines how the GDPR could potentially add more complications to the divorce process

Read More
SA Law Red arrow neon light image
Views & Insight
GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other…

Read More
Stained glass window
Views & Insight
GDPR for HR

Solicitor Emma Gross explains why HR professionals should revisit their data protection practices ahead of the GDPR

Read More
SA Law Red arrow neon light image
Views & Insight
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
SA Law Red arrow neon light image
Views & Insight
What is the difference between ‘data controller’ and ‘data processor’?

It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are…

Read More
SA Law Red arrow neon light image
Views & Insight
Charity worker fined for unlawfully obtaining personal data from his employer

Recent case highlights importance of obeying data laws after charity worker fined for misusing personal data.

Read More
GDPR Numbers Image
Views & Insight
GDPR: What should I be doing?

Following a successful run of GDPR compliance events, SA Law's Data & Privacy team share how you can start preparing for the GDPR.

Read More
Green and Red Lights
Views & Insight
GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

Read More
Stained glass window
Views & Insight
Information Commissioner demystifies GDPR consent

Head of Employment & Data Chris Cook gives clarity on consent within the GDPR.

Read More
Stained glass window
Views & Insight
How to prepare for the GDPR

The GDPR comes into force on 25th May 2018, but organisations are recommended to start preparing for the changes as soon as possible to avoid non-compliance…

Read More
Views & Insight
ICO issues guidance on preparing for the EU General Data Protection Regulations (GDPR)

As many organisations will be aware, the existing EU data protection provisions are due to be reformed by the GDPR which is expected to receive formal…

Read More
Views & Insight
What every business needs to know about The General Data Protection Regulation

Legislative bodies in Europe have agreed radical reforms to European Union data protection guidelines but it will take time, money and careful planning…

Read More
Stained glass window
Views & Insight
ICO prosecutes company employees for unlawfully accessing client data

A former employee of Lex Autolease Ltd has been prosecuted and fined under section 55 of the Data Protection Act 1998.

Read More
Stained glass window
Views & Insight
ICO issues record £400,000 monetary penalty notice for TalkTalk data breach

The Information Commissioner has issued a record £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure.

Read More
Stained glass window
Views & Insight
Government introducing personal liability for directors for nuisance call fines

Amendments to the Privacy and Electronic Communications Regulations 2003, announced and to be introduced in spring 2017.

Read More
Stained glass window
Views & Insight
Government officially confirms adoption of the GDPR

On appearing before the Culture, Media and Sports Select Committee on 24 October 2016, the Secretary of State Karen Bradley MP, confirmed that the UK…

Read More
Stained glass window
Views & Insight
Departing employee convicted of taking client records before joining rival firm

Employees risk both criminal prosecution and civil action for unlawful use of information belonging to employers.

Read More
Intellectual Property, fonts
GDPR Assist
GDPR Definitions & Who's Who

Helping you get up to speed with everything GDPR

Read More
GDPR Numbers Image
Views & Insight
Fill in the details

Head of Employment and Data Chris Cook examines the importance of staff training when it comes to payroll and the looming GDPR.

Read More
SA Law commuters on London Bridge
Views & Insight
Data Protection Bill under challenge

Gemma Jones, Head of Immigration, explains the immigration exemptions within the upcoming GDPR

Read More
SA Law Red arrow neon light image
Views & Insight
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
Banner image red car light moving
Views & Insight
Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft regulations are of course, subject to Parliamentary approval but, given that there is limited time until the GDPR, they are unlikely to change.

Read More

© SA LAW 2018

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.