Return to all blogs

Are you a data processor or a data controller?

What GDPR means for you

Posted:

Intrasource
Intrasource
Intrasource

The General Data Protection Regulation that comes into force on May 25th 2018 introduces for the first time direct compliance requirements, and potential financial penalties for data processors.

Previously only data controllers have been in the firing line.

This is one reason why it’s now more important than ever for businesses to understand what role they are playing in the processing of data. Are you a data processor or a data controller?

Understanding which one you are will help you to put the right measures in place to become GDPR compliant. It will also help you to understand what the relationship is with other 3rd party organisations.

This is important because when sharing data with other organisations, and when you are the data controller in this situation, then you will need to seek reassurances from those organisations that they have put the right organisational and technical measures in place to maintain and protect the integrity of the data.

You will need to know if they are doing any further processing of the data that they are completely in control of for their own purposes, as opposed to further processing on your behalf. In other words is the 3rd party organisation a data controller or a data processor? The answer to that question will impact what information you need to give data subjects about how their data will be processed.

Article 28(1) of the GDPR states that:

  • Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

So;

  • As a controller you risk punishment if you don’t properly vet the data processor’s you use.

This is a good thing for us as data subjects as it should see controllers & processors working more closely together to understand each others requirements, methods, security measures.

The regulation defines controllers and processors as follows:

  • Controller – natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

The GDPR places more emphasis on accountability of businesses and introduces a risk based approach to compliance. This in turn introduces a huge responsibility to document processing activities.

If you are a controller for the personal data you process, you need to document the following:

  • Your organisation’s name and contact details.

  • If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.

  • If applicable, the name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed.

  • If applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU.

  • The purposes of the processing – why you use personal data, e.g. customer management, marketing, recruitment.

  • The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members.

  • The categories of personal data you process – the different types of information you process about people, e.g. contact details, financial information, health data.

  • The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.
  • If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.
  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR.
  • If possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance.

  • If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.

If you are a processor for the personal data you process, you need to document the following:

  • Your organisation’s name and contact details.

  • If applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37.

  • The name and contact details of each controller on whose behalf you are acting – the organisation that decides why and how the personal data is processed.

  • If applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the EU but you monitor or offer services to people in the EU.

  • If applicable, the name and contact details of each controller’s representative – another organisation that represents the controller if they are based outside the EU, but monitor or offer services to people in the EU.

  • The categories of processing you carry out on behalf of each controller – the types of things you do with the personal data, e.g. marketing, payroll processing, IT services.

  • If applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU.

  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR.

  • If possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, e.g. encryption, access controls, training.

Intrasource can help you put the right technical measures in place to move you towards compliance and we can undertake a security audit to see how well prepared you are in protecting your digital data. Contact us to see how we can be of help to your GDPR needs. 

Find more IT consultancy news and information here such as how to answer the question, does my business rely on IT and a breakdown of all the IT jargon you may need to know.

Return to all blogs

Contact us today and see how Intrasource can help your business

Contact us
×