Data Controller vs. Data Processor: What's The Difference?
What's the difference between a data controller and a data processor? What are their responsibilities under GDPR? Learn more in Data Protection 101, our series on the fundamentals of information security.
With the General Data Protection Regulation (GDPR) becoming enforceable on May 25th, 2018, a lot of companies are now making sure that they are GDPR-compliant.
If you are among those who are working with their GDPR compliance journey, then you must have come across the terms “data controller” and “data processor”. Here’s what you need to know about each of these types of entities, important differences, and responsibilities under GDPR.
What is a Data Controller?
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, such as the user of a website. Simply put, the data controller controls the procedures and purpose of data usage.
In short, the data controller will be the one to dictate how and why data is going to be used by the organization.
A data controller can process collected data using its own processes. In some instances, however, a data controller needs to work with a third-party or an external service in order to work with the data that has been gathered.
Even in this situation, the data controller will not relinquish control of the data to the third-party service. The data controller will remain in control by specifying how the data is going to be used and processed by that external service.
What is a Data Processor?
A data processor processes any data that the data controller gives them. A third-party data processor does not own the data that they process nor do they control it. This means that the data processor will not be able to change the purpose and the means in which the data is used. Following the example above, the data processor is the third-party company that the data controller chose to use and process the data.
Data processors are bound by the instructions given by the data controller.
An Example of a Data Controller & Data Processor Relationship
Sterling Company has a website that collects data on the pages their visitors visit. This includes the page they enter the site with, the pages that they visited next, and how long they stayed in each page. Sterling Company is the data controller, as they decide how all of this information is going to be used and processed, and for what purpose.
Sterling Company uses Google Analytics to find out which of their pages are most popular and which ones are making Web site visitors leave. This helps them plan their content better by knowing exactly how much time each visitor spends on a particular page. Not only does Sterling Company know which topics to write on, but also discover new topics that might be of interest to their customers. Plus, it helps them improve on the content that is already there.
Sterling Company needs to share the data that they get to Google in order to get the insights they want from Google Analytics. In this case, Google Analytics is the data processor.
What are the Responsibilities of a Data Controller?
A data controller is responsible for ensuring all data processed within their organization is compliant with the GDPR, deciding whether:
- To collect the personal information of customers, site visitors, and other targets. They must have legal authority to do so.
- What to collect.
- To change or modify the data that collected.
- Where and how to use the data and towards what purpose.
- Whether to keep the data in-house or to share it with third parties. They also determine out whom to share the data with.
- How long the data is kept, and when to dispose of it.
What are the Responsibilities of a Data Processor?
A data processor is responsible for carrying out the actual processing of the data under the specific instructions of the data controller, which may include:
- Design, create, and implement IT processes and systems that would enable the data controller to gather personal data.
- Use tools and strategies to gather personal data.
- Implement security measures that would safeguard personal data.
- Store personal data gathered by the data controller.
- Transfer data from the data controller to another organization and vice versa.
Why It’s Important to Understand Your Role
A data controller and a data processor have different roles and responsibilities, so it is important to know which role you play. For some companies and their outside service provider, the distinction might not be as clear-cut as the above example. For this reason, the GDPR has outlined the different roles and responsibilities expected from a data controller or a data processor.
This way, you can be sure that you have done everything that needs to be done on your part. For instance, in a data breach, the data controller and data processor would be able to limit their risk exposure if they know which role they play and then make sure that they have done everything expected of them.
What's more important, if your company has outsourced data processing, is to make sure that they know their GDPR obligations.
Dual Roles Under GDPR
As we have stated before, there are situations when there are overlaps and gray areas, making it more confusing to figure out if you are the data controller or the data processor.
There are also instances where you can be both the data processor and the data controller. For instance, if you store the data, or if you do the analytics for another company, then it is easy to see that you are the data processor.
For example, say a data controller gives an analytics provider all their data, and the third-party company has several reports on offer. The analytics provider will then decide which of your data are necessary for the report that you want. In this case, the analytics company becomes both a data controller and a data processor.
The roles and responsibilities of data controllers and data processors will become increasingly important as organizations strive to maintain compliance with GDPR. Understanding the differences between the two, and how the role that your organization serves in any particular scenario alters your responsibilities, is key to compliance.