GDPR Requirements for Data Controllers and Processors
The first step towards GDPR compliance is determining your organization’s data role – are you a data controller or a data processor? Determining your role under GDPR can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow.
What are the responsibilities of data controllers? A data controller determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.
The Information Commissioner’s Office (ICO) guidance related to determining purposes of processing personal data says that if you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:
- Who decides to collect the personal data in the first place and the legal basis for doing so?
- Who decides which items of personal data to collect?
- Who decides what methods to use to collect personal data?
- Who decides the purpose(s) that the data are to be used for?
- Who decides which individuals to collect data about?
- Who decides whether to disclose the data, and if so, who to?
- Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
- Who decides how long to retain the data or whether to make non-routine amendments to the data?
According to the guidance on principles regarding the means of processing personal data, data controllers may determine:
- What IT systems or other methods to use to collect personal data
- How to store personal data
- The detail of security surrounding the personal data
- The means used to transfer personal data from one organization to another
- The means used to retrieve personal data about certain individuals
- The method for ensuring a retention schedule is adhered to
- The means used to delete or dispose of personal data
What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to personal data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller and must provide sufficient compliance guarantees to data controllers.
Once you understand what your organization’s role is under GDPR, the next step is understanding which GDPR requirements apply to you. GDPR requirements depend on roles; requirements are different for controllers versus processors versus a controller-processor. In this white paper, you’ll learn which requirements apply to data controllers, which apply to data processors, and which apply to both. Let’s find out which GDPR requirements apply to your organization.