GDPR
DATA CONTROLLER OR DATA
by Rory Campbell, Forde Campbell LLC
O
ne major consequence of the GDPR is the requirement on businesses to decide and state whether they are acting as a data processor, or a data controller, in a particular situation.
A data controller is someone who controls personal data, and provides it to a data processor for a particular purpose. A data processor is someone who processes data on behalf of a controller. The distinction between the two roles is one of control – it’ s the data controller, and only the data controller, who can determine the purpose of the processing of the data.
Why is it important to understand the two roles and the difference between them?
What’ s this got to do with your business? The answer lies in what’ s fast becoming clear as being the essence of the GDPR: it’ s all about putting data protection measures into actual practice, and being seen to be proactive, in contrast to the laissezfaire approach resulting from the previous 1998 legislation.
So, whilst the 1998 Data Protection Act whispered about data controllers and processors, it placed minimal requirements on any organisation acting as a data processor. In contrast, the GDPR bellows the importance of acting as a data controller or processor from the rooftops.
The GDPR places explicit obligations on data controllers, in particular in relation to how they must do business and contract with data processors. And it places, for the first time, a number of strict obligations on data processors.
All of these obligations require businesses acting in either role proactively to do stuff now, in time for May’ s implementation of the GDPR.
What manner of data beast are you?
So understanding whether you’ re a data controller or a data processor( or both, or neither) is the first important step in working out what legal and organisational steps you need to take to be ready for May 2018.
The first thing to understand is that, depending on who you’ re dealing with in the daytoday operation of your business, you may be acting as a data controller and a data processor at the same time.
For example, you will hold personal data of your employees. You’ re in control of what happens to that data, and how you use it: you’ re therefore a data controller in respect of such data.
Separately, if you go out and collect personal data for your business purposes, then you will be data controller in relation to that personal data. You’ ll have to comply with all the GDPR obligations on a data controller( whether by getting the data subjects’ appropriate consent, or collecting through some other lawful means), and you’ ll have to respond to all the rights of the data subject.
At the same time, your business may provide services to other businesses where you hold collected personal data on their behalf. For example, you could provide data hosting services, or you might provide customer list analysis services as your business.
Alternatively, you may hold and process a client’ s collected personal data as part of an outsourced service – whether a fullblown outsource( for example, providing payroll and HR functions) or an outsourced service in all but name( for example, providing a content management system on a SaaS basis, so that your clients’ documents containing personal data are stored within your environment).
In relation to your customers, you’ re acting as a data processor – whilst you’ re separately acting as a data controller in relation to your employees’ information.
The test you need to apply to determine whether you’ re a processor or a controller of particular data is as follows: do you control the purpose for which the data is used?
As a basic rule of thumb, a data processor’ s activities are generally technical, such as data storage, retrieval or erasure. By contrast, activities which take the data and use it for a particular purpose, such as interpretation, the exercise of professional judgement or significant decisionmaking, are the functions of a data controller.
Before we look at the consequences for you of being a data controller and / or a data processor, let’ s just add in another complication. It would be a mistake to assume that every B2B relationship is a data controller – data processor relationship.
In many cases where a provider supplies services to your organisation, and takes on some of your personal data as an incidental part of the service provision, you’ re the data controller – but so is the service provider.
For example, an accountant going through the books of her client will be processing the personal data of the client’ s staff – but may be under a separate duty to the accountancy profession and the law to provide any information( which may include personal
data) to the police in the event of discovering fraud or malpractice.
The reason it’ s important to be clear about your status as data controller or data processor is because the GDPR imposes different obligations on you depending upon your status.
These obligations are described below, but it’ s worth my making a couple of observations from the coalface of GDPR implementation.
Controller vs Processor: real life examples
With some seven months to go, business is starting to wake up to the GDPR. I’ m handling a large number of cases where my clients are being asked to classify themselves as data processors in relation to their customers. I’ m being asked whether my clients really are data processors, since this would mean they have to take on the obligations of a data processor.
For example:
• an international business intelligence supplier provides financial services news to its customers. Each customer sends the supplier a list of the email addresses of its users, and the supplier uses the email addresses to provide the daily news updates. Is the supplier a data processor? I’ m arguing that it’ s not, since it’ s not holding the email addresses as a particular function on behalf of its customers – the personal data is held as an incidental part of supplying my client’ s journalism. My client is a service provider, and not a data processor – and shouldn’ t have to comply with a data processor’ s obligations( NB this one is still an ongoing debate!)
• a software environment services provider is asked by their customer to sign up to a data processing agreement. The provider is my client, and doesn’ t believe that they’ re a data processor.
16 www. businessfirstonline. co. uk