GDPR Readiness: Are You a Data Controller or Data Processor?

by Sarah Harvey / March 15th, 2018

GDPR Roles – Where Does Your Organization Start?

The most common questions we’re hearing related to GDPR have to do with roles – what role does my organization play? Are we a data controller or data processor? Joint controller? Controller-processor? Where should we start in our journey towards GDPR compliance? This can be a confusing aspect of compliance, but GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you.

What to Expect in the Webinar

In this webinar, we discuss three types of roles: data controller, joint controller, and data processor. The law defines a data controller as the natural or legal person that determines the purposes and means of the processing of personal data. A joint controller occurs when two or more controllers jointly determine the purposes and means of processing. A data processor is the natural or legal person which processes personal data on behalf of the data controller. When determining which role your organization fits, your organization should consider the following:

  • Organizational size and structure is irrelevant.
  • Processing activity is partially relevant.
  • Data source is incredibly relevant.
  • Contractual arrangements are completely relevant.

In this webinar, Mark Hinely also outlines a list of questions that should help your organization decide what its role is. Who decides…

  • To collect the personal data in the first place and the legal basis for doing so?
  • Which items of personal data to collect?
  • What methods to use to collect personal data?
  • The purpose(s) that the data are to be used for?
  • Which individuals to collect data about?
  • Whether to disclose the data, and if so, who to?
  • Whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • How long to retain the data or whether to make non-routine amendments to the data?
  • How to store personal data?
  • The detail of security surrounding the personal data?
  • The means used to transfer personal data from one organization to another?
  • The means used to delete or dispose of personal data?

Listen to the full webinar to learn about what your organization’s role is and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.

More GDPR Resources

ICO’s Data controllers and data processors: what the difference is and what the governance implications are

GDPR Readiness: What, Why and Who

Are You Ready for GDPR Compliance?