GDPR Blog Week 8: Data Controllers and Data Processors
After the 25th May this year, there is a new responsibility under the GDPR for data processors to be held accountable by the Information Commissioner’s Office (or “ICO”) for failing to comply with the new Regulation. If they are found to be in breach, or if they report a breach as required to do under the GDPR, then they may be liable to a penalty and this follows the same tariff as that applied to data controllers. This widening of the scope of data protection legislation to include data processors re-addresses the balance previously applied by the Data Protection Regulation 1998 (or “DPA”) and comes as a welcome change for data controllers. As mentioned in my previous blog on Fines (Blog 1), penalties can be significant, not to mention the harm they do to your reputation and brand. It is important, therefore, that you correctly identify whether you are a controller, a processor, or in some cases, both.
In order to answer the question of whether your organisation is a data controller or data processor, we need to take a step back to the guidance given under the old DPA regime. A data controller determines the purpose and manner in which the data is processed (the “why” and “how”) whereas a data processor processes that data on behalf of the data controller. Processing here is essentially anything you do with that data, be it obtaining, recording, storing, filing or carrying out any set of operations on that data.
A data processor, on the other hand, may decide what IT system is used to collect the data, how to store it, how to keep it secure and the means by which it is retrieved, deleted or transferred from one organisation to another. Whilst the definition of processing suggests a data processor’s activities would be limited to the more technical aspects of the operation, this distinction is often blurred where the holding of personal data may be common to both a controller and processor.
The starting point will be to consider what influence you, as an organisation, have over determining the purpose of processing the data. If you have exclusive control over this element, then you will be a controller. Other questions you should consider are whether you have a lawful basis to undertake data processing activities? Do you collect the data in the first place and decide which categories of data you need to support your business model? Do you decide who to disclose or share this data with and are you the organisation to whom subject access requests are made? Do you decide the retention periods for the data stored? If your answer to these questions is an affirmative, then you will be a data controller. Conversely, if you don’t store your data in-house and it is supported by a cloud service or IT system provider then they are likely to be a data processor.
These definitions may still be difficult to apply with the complexity surrounding modern business relationships. For example, outsourcing to an IT solutions firm to process your data means that this firm will have its own data controller responsibilities for the personal data it maintains in relation to its own workforce. Consequently it boils down to the processing activities an organisation carries out as to what label it operates under. You can see how things can get complicated.
As both controllers and processors are now liable under the GDPR, it makes sense for there to be a degree of collaboration/clarification between the two to ensure that any compliance gaps are identified and plugged. The GDPR assist in this by including a prescribed list of mandatory clauses that must be contained in any data processing agreement. These relate to the safety, security and sharing of data but also address compliance issues and cooperation when dealing with data subjects’ rights. Data controllers and processors should focus on negotiating and renegotiating their data processing agreements to ensure that the scope of instructions is clearly defined and any increased costs of compliance are allocated between the parties. A clear understanding of your obligations under a contract will limit your exposure under the new Regulation.
I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.email@example.com or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Data Principles and looking at their application within a business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.