Welcome to Week 3 of my mini-series on aspects of the GDPR, the new data protection rules that come into force on 25th May 2018. This week, we are looking in depth at the differences between controllers and processors. You can view Week 1 and Week 2 by clicking on their links.
The basic difference between controllers and processors is as follows:
A controller determines the how, why and what of data processing. They are known as a joint controller if two or more people have this role.
A processor is responsible for the actual data processing as per the controller’s instructions. They do not make any decisions and must not make data available to anyone other than the controller without the controller’s permission.
Because controllers and processors have different roles, they also have different obligations. As processors are the worker bees, their obligations are much simpler. A processor must do the following:
- comply with the GDPR and show how they have complied
- maintain processing records
- appoint Data Protection Officers if required
- work with supervisory authorities
- ensure security of data
A controller’s list of obligations is much longer: They must consider the nature, scope, context and purpose of processing, alongside any risks and the potential impact on human rights. Data security must be built into processing right from the beginning. This is known as Privacy by Design. If there is a data breach the controller must notify a supervisory authority within 72 hours. The details of the breach need to include what happened, how many subjects were affected and what data was breached. Include the name and contact details of the controller or the DPO if you have one. Highlight the potential consequences and measures taken. Data subjects must also be informed of the breach if there is a high risk to their rights and freedoms.
Controllers must provide data subjects with any information they request. Subjects must be given the following details:
- controller’s identity and contact details
- DPO’s contact details (if the organisation has one)
- purpose and legal basis for processing
- who data will be given to
- if data will be transferred outside EU
- why personal data is required and what consequences there will be if subject doesn’t provide such data
- what rights the subject has
- whether any decision-making is automated
- if data will be used for another purpose in future
If data is not directly obtained from the subject then the controller needs to provide information on where it was obtained from, unless EU law states data must remain confidential or it would be impossible to do so (such as when undertaking a large study of public statistics).
If you are a joint controller then you have joint liabilities. Evidence must be provided to supervisory authorities that GDPR is being complied with. Organisations should document their policies and keep a record of all processing. While any organisation can appoint a DPO to help with compliance, you must appoint a DPO if your processor is a public body, there is large amounts of data being processed, or the data is categorised as special or it relates to criminal activity.
The DPO acts as a monitor to the data collection process, ensuring GDPR compliance and as such must be a person whose qualifications are recognised under the GDPR.
Controllers must maintain records of all processing (exemptions apply to small businesses but it’s worth recording anyway). These records must include:
- controller’s name and contact details
- why data is being processed
- categories of subjects, date and recipients
- whether data will be transferred outside the EU and how this will be done
- projected time till data erased
- basic details of technical and organisational security measures, to include; risk assessment and considerations of costs and implementation of processing
A Data Protection Impact Assessment (DPIA) must be carried out by the controller if the process may cause a high risk to the subject’s rights and freedoms, such as when using an automatic process. The DPIA must contain a description of the processing, an evaluation of the processing in regards to its purpose, and an evaluation of the risks and proposed measures to be taken to address these risks.
A DPIA is not required for processing carried out for legal compliance or in the public interest.
If the DPIA indicates a high risk to subject’s rights and freedoms and then the controller must consult with the supervisory authority before beginning processing. This is Prior Consultation. The controller must inform the supervisory authority of what responsibilities the controller and processor have, why and how data is being processed, any measures taken to protect subject’s rights, the DPO’s contact details (if there is one), the full text of the DPIA and any other information as requested by the supervisory authority.
Companies outside of the EU intending to process data on EU citizens must appoint a representative within the EU to ensure GDPR compliance. This doesn’t apply to public bodies, processing which is occasional, large-scale processing of special categories or criminal data.
I hope this has been a helpful overview of the different tasks a controller and a processor have. The information comes from my work on a free online course from the University of Groningen, which you can access here.