All you need to know about GDPR Controllers and Processors

Understanding what GDPR meant as Controller, Processors and their responsibilities.

In the introductory post of this series I have briefly discussed about the GDPR definitions of Controller and Processor, let’s start recalling these definitions.

There are number of similarities between Controllers and Processors, both of these entities can be a natural or legal person, public authority, agency or other body which carried out processing of personal data belong to an individual. A given data processing organization can be either Controller or Processor based on their answers for the following two questions.

  1. Whether the particular organization determine the purpose of the data processing (Why ) ?
  2. Whether the particular organization determine the means of processing ( How) ?

If the answer is ‘Yes’ then the organization is a Controller, if the answer is ‘No’ then the organization is a Processor.

Let’s take few examples to explain this concept properly, assume a biscuit manufacturing company delegated a market research company to conduct a research and provide recommendation on what they should target in their new product line in order to reach 10% market growth. This is a very clear goal provided by the biscuit manufacturing company and there is no any other data or conditions provided by the biscuit manufacturing company as well. The marketing research company has the freedom to decide target individuals for the research, what kind of personal data are collecting, what kind of personal data are storing, storage mechanism, approaches of processing data etc. In this example ‘the purpose of the data processing and means of data processing’ is decided by the marketing research company, this means marketing research company is a Controller under the GDPR regulations.

Another example, a payroll management company, they process personal data provided by some other company under their instructions. Usually payroll handling companies don’t determine what the purpose and how to process those payments and related personal data, this means that the particular payroll handling company is a Processor under the GDPR regulations.

Before we conclude this section here is the exact GDPR definitions for Controller and Processor.

Controller

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor

The processor is the entity (that can be natural or legal person, public authority, agency or other body ) which processes personal data on behalf of the controller under the controller’s instructions.

Controllers can be further categorized based on factors such as whether they operate as a single legal entity or not, based on their establishment etc.

Joint Controllers

When more than one controller involving in to decide the purpose and means of processing , those controllers are known as “Join Controllers”, according to the GDPR Join controllers should fulfill following set of requirements.

  1. Each controller should able to demonstrate each of their responsibilities, compliance and obligations to individuals and supervisory authorities in a clear, unambiguous and transparent manner.
  2. Arrangement among each controller should be accordance with EU/member state laws.
  3. Each controller should able to provide the arrangement among controllers to individuals and supervisory authorities.

Controllers established outside the EU

In addition to general regulations, controllers established outside the EU must appoint a representative and must fulfill following criteria as well.

  1. The representative should be within the EU.
  2. The representative should be able to engaged with supervisory bodies and individuals to response issues related to personal data protection and the GDPR compliance.
  3. The appointment of a representative should be based on written mandate.
  4. Appointment of a representative does not mean reduction of any responsibility from a processor or a controller.

However public authorities, criminal convictions and organizational processing small amount of personal data (not special categories) in occasional basis are excluded from above requirements.

Responsibilities of the Controller

According to the GDPR controllers should ensure to implement appropriate technical and organizational process to be in compliance with the GDPR, additionally controllers should able to demonstrate those technical and organizational process are accordance with GDPR. These changes may include …

  1. implementations of data protection policies.
  2. adherence to code of conduct defined in the GDPR
  3. adherence to certification process defined in the GDPR

The controller also subject to following two principles

— Data protection by design According to this principle, at the time of determining the purpose of data processing (planning time) and at the time of actual data processing itself (execution time) controllers should implement appropriate technical and organizational measures, few of the most important measures are given below.

  • Pseudonymization of personal data.
  • Encryption of personal data.
  • Adhere to CIA security principles: Confidentiality, Integrity, and Availability.
  • Ability to restore the data in case of physical or technical incident.
  • Ensure the resilient nature of the processing system.
  • Ability to support audits, inspections and other security measures.

— Data protection by default According to this principle, controllers should only processes personal data required for current purpose of the processing, this also implies collection of only required data and store them and store them only for required duration.

The controllers should only use processors who can provide guarantee and demonstrate their in compliance with the GDPR, the GDPR code-of-conduct and certification elements are helpful to make such decisions. Also controllers should ensure processors process data based on the exact instruction provide by the controller.

The controller should maintain record of data processing including following information.

  1. Name and contact details of the controller, any representative or any data protection officer (DPO).
  2. Purpose of the data processing.
  3. Type of data and categories of data subjects.
  4. Whether the data will be transferred to 3rd party.
  5. Whether the data will be transferred to 3rd party country.
  6. How long data will be kept within the controller.
  7. Technical and organizational security measures followed by the controller.

Conducting a data protection impact assessment (DPIA) depending to the nature of the data processing is also a responsibility of the controller, we will discuss impact assessment in a separate section.

Responsibilities of Processor

  • Processing of personal data by a processor should be always based on documented instructions from a controller.
  • A processor should able to demonstrate their GDPR compliance in data processing to controllers and to supervisory bodies.
  • A processor should not engage with another processor without written approval from the controller.
  • If a processor is subject for any special data transfer regulations from EU/Member state, it should communicate those regulations to the controller.
  • People who accessing personal data from processor’s side should commit to ensure the confidentiality.
  • The processor should assist the controller to fulfill the requests from individuals.
  • The processor should assist the controller to be in compliance with the GDPR regulations.
  • The processor should cooperate with the supervisory bodies.
  • Based on controller’s choice the processor should able to delete any stored personal data.

The processor should maintain record of data processing including following information.

  1. Name and contact details of the processor, associated controllers, any representative or any data protection officer (DPO).
  2. Purpose of the data processing of each controller.
  3. Type of data and categories of data subjects.
  4. Whether the data will be transferred to 3rd party.
  5. Whether the data will be transferred to 3rd party country.
  6. How long data will be kept within the controller.
  7. Technical and organizational security measures followed by the controller.

How to behave in a data breach

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. A data processing organization (controller or processor ) should take every possible measures to eliminate risk of a data breaches but in reality nobody can practically guarantee on 100% security on data or a system, considering this practical risk the GDPR provides comprehensive set of regulations to deal with a data breach incidents which includes

  • how to communicate with supervisory bodies.
  • how to communicate with individuals that the data breach is possibly affected.

It’s mandatory to establish efficient procedures by controllers/ processors for above notifications.

During a data breach following procedure should be followed to communicate with the supervisory bodies.

  • Inform the the data breach within 72 hours.
  • If it’s a processor inform the controller without any delay.
  • Provide the contact details of Data Protection Officer (DPO) or any other person responsible.
  • Document all the facts related to the data breach and make it available for supervisory bodies inspection.
  • Notifications should include following information, in case all the data not available data can be shared in phases.

— Nature of the the data breach.

— Categories of the data breach.

— Approximate number of individual affected.

— Approximate number of data record affected.

— Consequences of the data breach.

— Proposed measures to mitigate the data breach.

During a data breach following procedure should be followed to communicate to individuals.

  1. Communicate to each individual without delays.
  2. Notification should use clear and plain language.

Data Protection Impact assessments (DPIA)

The GDPR recommends controllers to carry out a data protection impact assessment (DPIA) depending on the nature of data processing specially when moving to use new technologies. This impact assessment need to be conducted prior to any data processing take place and if the DPO present controllers can seek for advice.

Following are the cases that the GDPR mandate to conduct impact assessments.

  1. Systematically and extensively evaluating personal data using automated processing including profiling.
  2. Processing large scale of personal data belong to special category.
  3. Large scale systematic monitoring of publicly accessible area.
  4. Additionally supervisory authorities can mandate list of such cases.

An impact assessment should focus on following factors.

  • Systematic process of processing.
  • The purpose of the processing.
  • Assess the purpose and the process of processing.
  • Assess the risk related to individual’s right of freedom.
  • Measures to mitigate possible risk.

In case result of an impact assessment indicate a high risk, the controller can consult supervisory authorities for advices, the GDPR have clear guideline what need to be communicated with a supervisory authorities with applicable timeline details.

Data Protection Officer (DPO)

The GDPR introduce a special role called Data Protection Officer (DPO) to provide necessary advices to processing organizations and act as the point of contact for outside works such as individuals and supervisory authorities.

Both controllers and processors can appoint a DPO considering his/her professional qualifications, expert knowledge and ability to perform the assigned task, also one DPO can server for a group of related organizations. A DPO can be a staff member of the organization or can be a contract based individual as well, additionally DPO can perform any other tasks within the organization as far as those activities are not cause any conflict of interest issues.

As per the GDPR compliance, a processing organization should assist to the DPO to carry out his activities and should ensure that the DPO is engaged in any matter related to data protection, additionally the DPO should report to the highest level of the processing organization.

Individuals should contact the DPO to solve any issues related to their personal data and the DPO is bound to keep confidentiality in carrying out his/her duties.

According to the GDPR appointment of the DPO is required in following cases.

  1. Processing is carried out by a public authority expect courts.
  2. The nature of data processing require regular monitoring from individuals.
  3. Data processing involve large amount of data categorized as special or proceeding data related to criminal convictions.
  4. Some other conditions according to the EU/Member state laws.

GDPR text itself does not provide quantitative interpretation about the phrase “ large amount of data “ but according to Gartner ..

processing more than 5000 individuals data within 12 months then such organizations are inclusive under large amount of data “ phrase. (http://www.gartner.com/smarterwithgartner/top-five-priorities-to-prepare-for-eu-gdpr/)

GDPR also list out following basic responsibilities for the DPO.

  • Inform and advise staff members on data protection regulations and procedures.
  • Monitor the compliance with the regulations.
  • Advice on data protection impact assessments.
  • Cooperate with supervisory authorities and act as point of contact for supervisory authorities.
  • Act as the point of contact for individuals related to any data protection related matters.

Code-of-conduct and certifications

Under the GDPR regulations associations or other bodies such as professional bodies representing categories of controllers/processors are encouraged to come up with codes-of-conduct, within the limits of GDPR regulation, aiming to facilitate the effective application of GDPR. GDPR regulation provide further details about exact procedure to follow and guidelines to form such code-of-conducts including monitoring mechanism for approved code-of-conducts.

In order to help the controllers/processors to be in compliance with regulation, GDPR encourage the establishment of certification mechanisms and data protection seals. From individuals point of view such certifications and seals help to quickly assess the level of data protection of relevant products and services. You can read further details on certification from GDPR main text.

Like what you read? Give Sagara Gunathunga a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.