Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal
teams and resources to ensure they are aware of their
obligations under applicable regulations.
GDPR (General Data Protection Regulation) was approved on April 14, 2016, and will come into play on May 25, 2018. It will be directly applied in each country, EU or non-EU (which stores European Citizens personal data), and is intended to strengthen and unify data protection for all individuals within the EU.
GDPR rules apply to ‘Controllers’ and ‘Processors’ of data:
- “Data Controller” is a single person or group of people, which determine the purposes and means of processing personal data.
- “Data Processor” is any person who processes data on behalf of the data controller.
“Processing” in this sense means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. Knowing the difference between who the data controller and processor are will be paramount if there was ever a data breach situation as it would need to be determined where the responsibility lies, therefore it is best practice to have a clear view of what each role should be doing.
The Data Controller has the primary responsibility for ensuring that processing activities are compliant with the law. As stated in Article 5 of the EU GDPR “personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject” and in accordance with Article 24 of the EU GDPR “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this regulation”.
The Data Processor according to Article 28 of the EU GDPR, has the responsibility to provide “guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation”.
“The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Data processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, nature, and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”.
To determine whether you are a data controller or data processor you need to confirm which steps you take:
The Data Controller must decide:
- To collect the data in the first place and the legal basis to do so,
- Which items of personal data will be collected (content of the data)
- The purpose(s) that the data is to be used for
- Which individuals you will collect data about
- Whether the data will be disclosed, if yes then who to
- How long to retain the data.
The Data Processor must decide:
- What system/method is used to collect the data
- How to store the data
- Security of the data
- Means used to transfer data from one organisation to another
- Means used to retrieve personal data about certain individuals
- Ensuring the method behind the retention schedule is adhered to
- Means used to delete/dispose of data
The processor has the freedom to use technical knowledge to decide how to carry out certain activities on behalf of the data controller, however the data processor, cannot make any of the decisions on what is done with the data, these decisions must be made by the data controller.
All of the above in turn means that if any EU or non-EU company wants to stay in business as a controller or processor of data, it will have to implement the necessary controls to ensure that they comply with the EU GDPR. If there is non-compliance then fines showing in Article 83 of the EU GDPR shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”