GDPR divides responsibilities for organizations processing personal data based on their role, so determining which role your organization plays is one of the first steps towards GDPR compliance. You cannot know what your requirements or obligations under the law are until you do so. There are three major roles under GDPR: controllers, processors, and joint controllers. Let’s discuss what each of these roles mean and how your organization can determine which role it plays.
What is a Controller?
A controller is the organization who determines the purpose and means for processing. A controller has the most authority over processing activities and most likely has interaction with the data subject. A controller may determine things like:
- What kind of personal data to collect and the legal basis for doing so
- What the purpose of processing is
- What methods will be used to collect personal data
- How to store personal data
- The detail of security surrounding the personal data
- The means used to transfer personal data from one organization to another
- The methodology behind data retention
- The means used to delete or dispose of personal data
Some other responsibilities of controllers are handling data subjects’ rights requests through investigation, review, and response. Controllers are also responsible for performing Data Protection Impact Assessments, which is a formal process for reviewing and mitigating the risks of processing activities to data subjects. Controllers also have the responsibility of notifying supervisory authorities and data subjects in the event of a data breach.
What is a Processor?
A processor is organization that processes data on behalf of a controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. A processor helps the controller perform its obligations under GDPR but has no independent authority to determine what to do with the data or how to perform processing activities. Because processors can only act under the authority of a controller, their major responsibility is to support the controller.
What is a Joint Controller?
A joint controller is an organization who shares both personal data and decision-making authority with one or more other controllers. In a joint controller situation, the organizations must clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool.
There are some responsibilities among controllers, processors, and joint controllers that are identical – the need for a data protection officer, documentation of processing activities, security over processing activities, designation of an EU representative, and liabilities under GDPR.
Are you subject to the responsibilities of controllers, processors, or joint controllers? Let’s find out today! Contact us to get in touch with a GDPR expert.
GDPR divides responsibilities for organizations processing personal data based on their role. There are three potential roles under the law: controllers, processors, and joint controllers. A controller is the organization who determines the means and the purposes for the processing. This is the organization that most likely has interaction with the data subject and will generally obtain the personal data from the data subject. A controller may also be a controller because it has independent legal obligations, such as an attorney or an accountant. A processor is a service organization that simply helps the controller perform its obligations under GDPR but has no independent authority to determine what to do with the data or how to perform a certain processing activity. A joint controller is an organization who shares both personal data and decision-making authority with another controller.
So, with those three roles identified under the law, let’s talk a little bit about what are some differences between a controller and processor. First, controllers are primarily responsible for handling data subjects’ rights requests. They are the ones that are responsible for investigating, reviewing, and responding to data subjects’ requests. Controllers are also responsible for performing Data Protection Impact Assessments. Those are processes for reviewing and mitigating the risks of processing activities to data subjects. Controllers also have the responsibility of notifying the supervisory authorities and data subjects in the event that there is a personal data breach. Processors, on the other hand, have the responsibility to only act under the authority of a controller, to notify a controller instead of a supervisory authority if there’s a breach, and to support rather than perform Data Protection Impact Assessments.
However, there are some responsibilities under GDPR that are identical between controller and processor. First, if applicable, both controllers and processors must have data protection officers. Second, if applicable, both controllers and processors must document their processing activities. Third, if applicable, both controllers and processors must designate a representative in the EU. Two additional identical responsibilities between controllers and processors are ensuring that their processing activities are secure and both controllers and processors are jointly and severely liable under GDPR for violations of the law.
Now, it’s already challenging to determine if an organization is a controller or a processor, but it should be noted that organizations may be both controllers and processors for different data subjects. For example, an organization that’s a software service provider may be a processor in its core activity of providing software; however, it may be a controller in its marketing efforts and as an employer. So, in that case an organization would have all of the responsibilities of a controller and all of the responsibilities of a processor.