It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are subject to such obligations, however, what is not so clear is the difference between the role of ‘data controller’ and that of ‘data processor’. Generally, it is the data controller that must exercise control over the processing and carry data protection responsibility for it. They determine the purpose for which data is processed and it is the data processor that processes data on behalf of the data controller.
It is becoming more and more obvious that organisations are facing difficulty in determining whether they or the organisations they are working with have data protection responsibility and, with the GDPR enforcement date approaching on 25 May 2018, it is important for organisations to understand their role as mixing up the two can have detrimental consequences, especially where there is a data breach.
Which is which?
To determine whether you are a data controller, you need to ascertain whether you make decisions as to:
- collection of the personal data and the legal basis for doing so;
- which items of personal data are collected;
- the purpose that the data will be used;
- whether to disclose the data, and who to;
- whether subject access and other individuals’ rights apply; and
- how long to retain the data.
These decisions can only be made by a data controller.
It is for the data processor to decide the following:
- what IT systems or other methods will be used to collect personal data;
- how to store the personal data;
- the detail of the security needed;
- how to transfer the personal data to other organisations;
- how to ensure retention policies are adhered to; and
- how to delete the data.
Although these lists are not exhaustive, they highlight the fact that control, rather than possession, of personal data is the determining factor; a data processor decides how to carry out certain activities on the data controller’s behalf. It is therefore essential to determine the degree of independence that each party has in determining how and in what manner the data is processed.
Will the GDPR change things?
When the new legislation comes into force in 2018, it will impose many more obligations on data processors, for example:
- being directly responsible for implementing appropriate security measures;
- maintaining a record of all processing operations under their responsibility;
- needing to appoint a Data Protection Officer if needs be;
- needing to inform the data controller immediately of any data breach;
This will represent a significant change for data processors, who (under the current regime) can avoid direct liability under the law.
What is the impact for organisations?
The GDPR presents a more even balance between the responsibilities placed on data controllers and data processors. However, this will considerably increase the risks for organisations that act as data processors in terms of liability and responsibility.
Given the heavy fines that organisations can face for GDPR breaches, data processors will need to familiarise themselves with the new rules. It is likely that more focus will be placed on negotiating data processing agreements and detailed analysis carried in order to establish whether you need a Data Protection Officer.
It is therefore advisable that organisations establish their roles of either data processor or data controller before processing commences to ensure there is no confusion in knowing who is responsible for what.
Some processors may find it useful to review their existing data processing agreements, to ensure that they have met their own compliance obligations and to guarantee that they are GDPR ready when the time comes.