The most frequently asked question I’ve received related to GDPR has to do with data processing roles: is my organization a data controller or data processor? Determining your organization’s data role can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow. The responsibilities of data controllers are different than responsibilities of data processors. As a result, organizations cannot know their GDPR compliance obligations until they determine whether GDPR defines them as a controller or processor.
What the Law Says: Responsibilities of Data Controllers
What are the responsibilities of data controllers? The law defines a data controller as the natural or legal person that determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.
So, a controller does at least two things: determines the purpose and means for processing. From my perspective, the ability to determine the purpose of data processing is both easier to identify and a more logical standard for identifying whether an organization is a data controller than whether an entity determines the means of processing.
The UK Supervisory Authority, the Information Commissioner’s Office (ICO), has published guidance related to determining purposes of processing personal data. If you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:
- Who decides to collect the personal data in the first place and the legal basis for doing so?
- Who decides which items of personal data to collect?
- Who decides what methods to use to collect personal data?
- Who decides the purpose(s) that the data are to be used for?
- Who decides which individuals to collect data about?
- Who decides whether to disclose the data, and if so, who to?
- Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
- Who decides how long to retain the data or whether to make non-routine amendments to the data?
According to the ICO guidance on principles regarding the means of processing personal data, data controllers may determine:
- What IT systems or other methods to use to collect personal data
- How to store personal data
- The detail of security surrounding the personal data
- The means used to transfer personal data from one organization to another
- The means used to retrieve personal data about certain individuals
- The method for ensuring a retention schedule is adhered to
- The means used to delete or dispose of personal data
What the Law Says: Responsibilities of Data Processors
What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to data controllers. It’s important to note that based on the ICO guidance, processors may have some authority to determine the “means of processing” without becoming a controller or joint controller.
What Else Should Organizations Consider?
When determining which GDPR data processing role an organization fills, organizations might think a few operational areas are key: organizational size and structure, processing activity, data source, legal/professional and contractual arrangements. In my experience, only three of these areas are fully relevant.
Organizational size and structure are irrelevant when determining your role. Only a small part of GDPR addresses organizations that are less than 250 employees, but that really does not impact whether an organization is a controller or a processor. Additionally, organizational structure (publicly or privately owned, single corporation, parent organization, affiliate, subsidiary, etc.) does not impact whether an organization is a controller or a processor.
Processing activity is only partially relevant in determining whether an organization is a controller or a processor because, ultimately, a controller can perform any activity that a processor performs. It should be noted that, based on practical experience and formal guidance, there are some processing activities that may be considered de facto controller activities. Specifically, payment processing and certain direct marketing activities may be considered activities that, by default, make an organization a controller.
Data source is an incredibly relevant factor in the controller/processor consideration. Where does your data come from? Is your data source the data subject? The more interaction your organization has with a data subject, the more likely that your organization is a data controller.
Specific legal and professional obligations may require organizations to operate as a controller. For example, accounts and attorneys each have legal and professional obligations to make independent decisions and, occasionally, disclosures regarding personal data that may be outside of the client’s processing authority.
Finally, contractual arrangements are a completely relevant factor in determining whether an organization is a controller or processor. Contracts should explicitly outline the purpose and means for processing data. The more authority a contract provides an entity with respect to either the purpose or the means of data processing, the more likely that entity is operating as a controller.
Once you determine whether your organization is a controller, processor, or both, your organization can then identify which GDPR requirements apply to you.
Other Roles under GDPR
Although GDPR establishes two primary data processing roles, there are several other data processing important roles that have additional compliance considerations, including:
- Joint Controller: A joint controller exists when two or more controllers jointly have authority and determine the purposes and means for processing personal data. The requirement here is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
- Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller because they employ EU citizens. In this case, two sets of personal data exist, and the SaaS provider has different responsibilities towards the two sets.
- Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
- Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.
Are you subject to the responsibilities of data controllers or the responsibilities of data processors? When determining whether you’re a data controller or a data process, I encourage you to be open-minded for whatever your organization’s processes lead you to. If you haven’t begun preparing for the May 25, 2018 deadline for GDPR enforcement, you should start now. For more information on GDPR readiness, contact us today.
About Mark Hinely
Mark Hinely, Esq., is a Regulatory Compliance Specialist with KirkpatrickPrice and a member of the Florida Bar, with 10 years of experience in data privacy, regulatory affairs, and internal regulatory compliance. His specific experiences include performing mock regulatory audits, creating vendor compliance programs and providing compliance consulting. He is also SANS certified in the Law of Data Security and Investigations.