One of the key differences between the GDPR, launched in May 2018, and the original Data Protection Directive (DPD) which was enacted in 1995, was the introduction of two specific roles: data controllers and data processors – both of whom have unique legal obligations.
The reason why these roles were introduced was to close a loophole that allowed covered entities to essentially “pass the buck” when it came to safeguarding personal data belonging to EU citizens. In other words, organizations would be able to outsource the processing of personal data, thus effectively diminishing themselves of responsibility and avoid having to comply with EU rules.
Organizations that process personal data on behalf of EU citizens must ensure that they understand the difference between data controllers and processors, and understand which of those roles is relevant to the processing activities they are involved in. To gain this understanding, we must first understand what is meant by “personal data”.
Personal data, as defined in Article 4 of the GDPR, is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Personal data also includes “quasi-identifiers”, which is where multiple types of data (often relating to geo-locations and dates) are combined, which, with a small amount of processing, would reveal the data subject’s identity.
As previously mentioned, both the data controller and the data processor have a legal obligation to safeguard personal data belonging to EU citizens. A more detailed explanation of these obligations is explained below.
What is a Data Controller?
Article 4(6) of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. In other words, the data controller is the entity that initiates the collection of personal data from the data subject.
What is a Data Processor?
Article 4(7) of the GDPR defines a data controller as “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. A common example of a data processor would be a cloud storage provider.
It’s worth noting that processors and controllers located outside of the EU zone will still fall under the scope of the GDPR if they are processing personal data belonging to EU citizens. This is due to the GDPR’s controversial “Territorial scope” (Article 3), which enables EU rules to be enforced “regardless of whether the processing takes place in the Union or not”.
It’s also worth noting that it’s possible for more than one data controller to determine the purposes and means of processing. In this scenario, they would be referred to as “joint controllers”.
Consumer Privacy Rights
Under the GDPR, data subjects are granted an extended set of rights. I will not provide specific details about each of these rights, but the main purpose of them is to ensure that;
- Data subjects are informed about how their personal data is collected and used.
- Data subjects are allowed to access the information a controller or processor holds about them.
- Data subjects have the right to port, rectify and remove their personal data, upon request.
- Data subjects have the right to object to the way a controller or processor uses their personal data.
- Data subjects have the right not to be subject to a decision based solely on automated processing.
If a controller or processor fails to respect these rights, they may be subject to fines of up to €20 million, or 4% of global turnover (whichever is higher).
How can Controllers and Processors Meet Their Privacy Obligations Under GDPR?
Data controllers are required to perform due diligence on any data processors they rely on. After all, should the data processor fail to safeguard the personal data they are entrusted with, the data controller would still be held jointly accountable.
Data controllers must carry out a thorough risk assessment of the entities processing data on their behalf, to ensure they are able to meet the compliance requirements of the GDPR. This includes assessing their consent management protocols, privacy notices, data governance strategy, breach notification procedures, business associates, and more. In some circumstances, the processor may be required to sign some form of vendor agreement to ensure that they are aware of their responsibilities when it comes to safeguarding PII.
To ensure that both controllers and processors are able to respect the data privacy rights outlined above, they must be able to respond to Subject Access Requests (SAR’s) in a timely manner, typically within one month of receipt. In order to do this, it is crucial that they know exactly what personal data they store, where it is located, and who has access to it.
They should use a Data Security Platform that will automatically discover and classify PII, across all platforms and data centers they rely on. They must continuously monitor for anomalous activity involving PII, and they should be able to generate detailed activity reports at the click of a button, in order to demonstrate their compliance efforts to the supervisory authorities.