GDPR Obligations for Controllers and Processors

Two of the key concepts within the UK General Data Protection Regulation (UK GDPR) are the roles of controllers and processors. Whether you are a controller or processor depends on who exercises control over the purpose and means of processing personal data. The entity that determines the purpose and means of processing is the data controller and the data processor is the entity that acts on the controller’s behalf and only on their instructions.

The roles and responsibilities of data controllers and data processors are becoming increasingly important as businesses strive to maintain compliance with UK GDPR especially in an age where data drives decisions.

What is Personal Data?

Personal data, as defined in Article 4 of the UK GDPR, is any information that relates to an individual and one who can be identified either directly or indirectly by reference to an identifier such as a name, ID number, genetic or economic identity of that natural person.

Personal data also includes “quasi-identifiers”, where multiple types of data are combined, to reveal an individual’s identity.

Both the data controller and the data processor have a legal obligation to safeguard personal data.

What does it mean if you are a controller?

A controller is the main decision-maker as they determine the purpose and means by which personal data is processed.

To determine whether you are a controller, you will need to consider your role and responsibilities as regards data processing activities. If you decide what data to process and why, then you are a controller.

An example of a data controller would be an e-commerce business that collects customer personal data such as names and addresses for orders and shipping or educational institutions that decide what student information to hold and maintain.

Controllers bear the highest level of compliance responsibility under UK GDPR. As a controller, you must comply with and demonstrate compliance with data protection principle including responsibility for the compliance of its processors. Some of the controller obligations include:

• Protecting personal data and preventing unlawful processing.
• Establishing and recording the legal basis for processing data.
• Providing information to data subjects regarding the personal data they hold, for what purpose and for how long it will be retained.
• Ensuring that there is a binding contract that sets out the governance framework between the controller and the processor to ensure that the processor can smoothly execute the appropriate security measures in place to protect personal data.

As a controller, if you are in breach of your data protection compliance obligations, the Information Commissioner’s Office (ICO) or an individual may take action against you.

What does it mean if you are a processor?

A processor is an entity that processes personal data on behalf of the data controller. The data processor acts only on the instructions of the data controller and assisting them in meeting their obligations. Processors are thus required to enter into a written agreement with the controllers that sets out the terms of their engagement, including assisting data controllers in meeting their regulatory obligations, ensuring security of the personal data and setting out procedures and reporting of data breaches to the data controller. Similar to data controllers, data processors may also be subject to enforcement action by the ICO.

An example of a data processor would be where a business uses a cloud service provider to store their customers personal data. The cloud provider would be the data processor storing the data on the instructions of the various businesses who would be the data controller.

Why It’s Important to Understand Your Role as a Data Controller or Data Processor

Depending on whether you are a data controller or a data processor you will have different roles and responsibilities and so it is crucial to understand if you are acting as a controller or processor.  Understanding the difference between the two and the role your business serves in any given scenario may alter your role and understanding this is key to ensuring compliance with your responsibilities.

Thankfully, the UK GDPR sets out the different requirements expected from these two roles. So, whether you are a data controller or a data processor, you know exactly what your responsibilities are and can limit your risk exposure by understanding your role and what you need to do in order for you to comply with your regulatory obligations.

Concluding Thoughts

In our data- centric landscape, a lack of understanding or clarity over the two roles can result in significant legal penalties, reputational damage or loss of client confidence.  By clarifying and clearly understanding your obligations under these two roles, businesses can rely on the fact that they are within the scope of regulatory compliance as well as being able to build strong consumer trust and confidence.