What's the difference between a data controller and a data processor? What are their responsibilities under GDPR? Learn more in Data Protection 101, our series on the fundamentals of information security.
With the General Data Protection Regulation (GDPR) becoming enforceable on May 25th, 2018, a lot of companies are now making sure that they are GDPR-compliant.
If you are among those who are working with their GDPR compliance journey, then you must have come across the terms “data controller” and “data processor”. Here’s what you need to know about each of these types of entities, important differences, and responsibilities under GDPR.
Definition of a Data Controller
In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, such as the user of a website. Simply put, the data controller controls the procedures and purpose of data usage.
In short, the data controller will be the one to dictate how and why data is going to be used by the organization.
A data controller can process collected data using its own processes. In some instances, however, a data controller needs to work with a third-party or an external service in order to work with the data that has been gathered.
Even in this situation, the data controller will not relinquish control of the data to the third-party service. The data controller will remain in control by specifying how the data is going to be used and processed by that external service.
Definition of a Data Processor
A data processor simply processes any data that the data controller gives them. Following the example above, the data processor is the third-party company that the data controller chose to use and process the data.
The data processor does not own the data that they process nor do they control it. This means that the data processor will not be able to change the purpose and the means in which the data is used. Furthermore, data processors are bound by the instructions given by the data processor.
For instance, Sterling Company has a website that collects data on the pages their visitors visit. This includes the page they enter the site with, the pages that they visited next, and how long they stayed in each page. Sterling Company is the data controller, as they decide how all of this information is going to be used and processed, and for what purpose.
Sterling Company uses Google Analytics to find out which of their pages are most popular and which ones are making Web site visitors leave. This helps them plan their content better by knowing exactly how much time each visitor spends on a particular page. Not only does Sterling Company know which topics to write on, but also discover new topics that might be of interest to their customers. Plus, it helps them improve on the content that is already there.
Sterling Company needs to share the data that they get to Google in order to get the insights they want from Google Analytics. In this case, Google Analytics is the data processor.
What is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance
Data Controller Responsibilities
You are the data controller if your company or organization, if you decide:
• To collect the personal information of your customers, site visitors, and other targets. You must have legal authority to do so.
• What to collect.
• To change or modify the data that you get.
• Where and how to use the data and towards what purpose.
• Whether to keep the data in-house or to share it with third parties. You also figure out whom to share the data with.
• How long the data is kept, and when to dispose of it.
Data Processor Responsibilities
A data processor is the one who carries out the actual processing of the data under the specific instructions of the data controller.
You are the data controller if you are instructed or tasked by a data controller to perform some of the following:
• Design, create, and implement IT processes and systems that would enable the data controller to gather personal data.
• Use tools and strategies to gather personal data.
• Implement security measures that would safeguard personal data.
• Store personal data gathered by the data controller.
• Transfer data from the data controller to another organization and vice versa.
Why It’s Important to Understand Your Role
A data controller and a data processor have different roles and responsibilities, so it is important to know which role you play. For some companies and their outside service provider, the distinction might not be as clear-cut as the above example. For this reason, the GDPR has outlined the different roles and responsibilities expected from a data controller or a data processor.
This way, you can be sure that you have done everything that needs to be done on your part. For instance, in a data breach, the data controller and data processor would be able to limit their risk exposure if they know which role they play and then make sure that they have done everything expected of them.
What's more important, if your company has outsourced data processing, is to make sure that they know their GDPR obligations.
Dual Roles Under GDPR
As we have stated before, there are situations when there are overlaps and gray areas, making it more confusing to figure out if you are the data controller or the data processor.
There are also instances where you can be both the data processor and the data controller. For instance, if you store the data, or if you do the analytics for another company, then it is easy to see that you are the data processor.
For example, say a data controller gives an analytics provider all their data, and the third-party company has several reports on offer. The analytics provider will then decide which of your data are necessary for the report that you want. In this case, the analytics company becomes both a data controller and a data processor.
The roles and responsibilities of data controllers and data processors will become increasingly important as organizations strive to maintain compliance with GDPR. Understanding the differences between the two, and how the role that your organization serves in any particular scenario alters your responsibilities, is key to compliance.