The difference between a data controller and data processor isn’t an obvious one, especially if you’re just beginning on your GDPR compliance journey. Since May 25th, 2018, companies have needed to ensure their GDPR compliance, and understanding the terms data controller and data processor is a key part of that.
Read on to clarify the fundamental differences between these two roles, their responsibilities and what it means for your organisation.
What’s the difference between a data controller and data processor?
The data controller is the organisation which determines the purposes and means by which personal data is processed. Whereas the data processor is the organisation who processes the data on behalf of the data controller. The controller carries full data protection responsibilities, meaning they can be held liable for the actions of data processors.
The DPA (Data Protection Act) states that not all those involved in processing data have the same degree of responsibility, and this is why it's crucial to define the differences between the two roles.
What is a data controller?
The data controller has the most responsibility when it comes to data protection. According to UK GDPR, the definition of a data controller is:
A ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
Fundamentally, this means that if you determine the ‘how’ and the ‘why’ that data should be processed, your organisation is the data controller.
Data controller responsibilities
The above is the main responsibility of a data controller, however there are some more key responsibilities that must be considered. If you’re a data controller, your GDPR responsibilities can include:
- What data will be collected
- How data will be stored, retrieved or used
- Choosing a trustworthy data processor
- Ensuring the processing, and any processing carried out by the data processor on their behalf, is compliant with GDPR
- Who the data will be shared with, including using third-party companies
- On occasion the modification and processing of data
How do I know if I’m the data controller?
There are a few questions that you can ask yourself, or your organisation, to identify if you are the data controller. If you answer yes to one or more of these questions, it’s very likely that you’re the data controller:
- Are you in charge of how the data is processed?
- Did you decide on the purpose, or outcome, of the data processing?
- Do you use third parties to process the data? If so, do you instruct them on how to process the data?
- Did you decide what type of data is collected?
- Did you decide to collect and process the data?
What is a data processor?
The data processor acts on behalf of the controller, only processing data in line with the data controller’s instructions unless otherwise stated by GDPR laws. According to UK GDPR, the definition of data processor is:
A ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Subsequently, the data processor serves the controller’s interests rather than their own and has more limited compliance responsibilities.
Data processor responsibilities
Under the instructions of the data controller, the data processor has responsibilities that include:
- Implementing the processes and systems that gather the data chosen by the controller
- Responsibility for implementing appropriate security measures
- Storing the data that’s collected
- Transferring the data to chosen third parties
- Assisting the controller in investigating and reporting data breaches within the data
- Hold a record of the data processing activities that occur
- Advising on the data controller’s instructions when they’re considered against GDPR law.
Can you be both a data controller and data processor?
Yes, you can be both a data controller and a data processor. This can be the case when an organisation or entity works as a data processor on behalf of their client (data controller), but acts as a data controller in respect to other information such as collecting information about its employees.
For example, an IT company offering cloud solutions stores and processes its clients data according to their instructions. However the same IT company signs a contract with a payroll company to pay its employee wages, and instructs this company the ‘how’ and the ‘why’ the wages should be paid.
In the first instance this company is acting as a processor, and a controller in the second instance. The key concept to take away is that you cannot be both the data controller and processor for the same processing activity.
Understanding your role under GDPR
It’s important to know and fully understand your role under GDPR to comply with data protection laws and the fair and respectful treatment of individuals' data. By establishing the roles and responsibilities of the organisations involved in data processing before the processing commences, you’ll ensure that there is no room for error when it comes to compliance.
Effortlessly comply with GDPR
GDPR data protection focuses on everything from email marketing to cyber security threats, however paper documents and files are often severely overlooked. Having a fully compliant and experienced total document scanning and storage specialist such as Shredall SDS Group can ensure compliance with laws, and help data controllers to store data safely.