Responsibilities of GDPR Data Controllers and Data Processors

The General Data Protection Regulation often mentions GDPR data controllers and GDPR data processors. What is the difference between the two? Starting May 25, 2018 when GDPR is enforced, GDPR data controllers and GDPR data processors have specific duties and responsibilities. Organizations must know if they are classified as data processors or data controllers to avoid the risk of non-compliance to the strict standards under the new law. It is also necessary to know what are the data protections and procedures that need to be implemented if any.

GDPR Data Controllers

The categorization of data controllers and data processors is the same in the GDPR legislation. A data controller makes the decision on the types of data to be collected and the way the data should be processed.  For example, in a company processing payroll data, the company is the data processor while the customers are the data controllers.  What are the important responsibilities of GDPR data controllers under the law?

The GDPR data controllers must show in their data processing actions that they do not violate GDPR standards according to the accountability principle of Article 5, which states that

• data must be “processed lawfully, fairly and in a transparent manner”
• the use of data is strictly limited to “specified, explicit and legitimate purposes”
• only the minimum data required for the specified purposes will be processed
• data must be accurate and up-to-date

Data controllers must ensure the confidentiality of data. To make sure of compliance with the rules, data controllers must introduce a code of conduct and put the rules in place at the start of their activities. Data controllers are also responsible for ensuring that “appropriate technical and organisational measures” are respected. The concept of data protection by design and by default is explained in Article 25 of the GDPR, which mentions the following measures:

• Data-protection principles like data minimization must be implemented
• Only the required data for specific purposes is processed and stored
• The period of data storage is set to a minimum
• Data access is strictly limited to people that need it
• There must be designated parties responsible for data protection, risk assessments, risk reduction and data minimization.

GDPR Data Processors

GDPR data processors are public entities or agencies that process or store data. This role of processing data is critical hence the selection of data processors must be carefully reviewed. GDPR requires due diligence in choosing a data processor with strict agreements in place. The chosen data processor must fulfill the requirements stated in the agreement and those imposed by data controllers and regulatory authorities. The responsibilities of data processors include:

• Designation of a Data Protection Officer (DPO) – this is especially required when processing a big volume of data or data related to legal and criminal records
• Contracting the services of sub-processors is not allowed without securing a written permission first. Sub-contractors must submit to the same standards required by data controllers and regulatory authorities.
• Data processors including sub-contractors must meet GDPR standards and follow established procedures when transferring data to non-EU countries
• Data processors are responsible for errors committed by their sub-contractors
• Data processors must be able to answer questions or objections asked of them
• Data processors must satisfy the requests of data subjects such as the “right to be forgotten,” right to a copy of data and right to object to the use of their data.

Data controllers and data processors must work in close collaboration to ensure compliance with the GDPR. This is especially important when conducting impact or risk assessments.