The basics (3/3): key stakeholders in data protection
Beyond the data subject lies a multitude of actors, all involved in the collection and processing of personal data.
The final concept we’ll need to introduce before diving deeper into the fields of privacy, data protection and compliance is to present the main stakeholders involved in the collection and processing of personal data.
When a personal data processing occurs, there are up to four main categories of stakeholders that can be involved in the processing activity : the data subject, the data controller, the data processor, and the data protection authority.
The privacy ecosystem
As usual, let’s try to explain this using a concrete example, one that a lot of us has done at least once in the past year:
You log in to Instagram, choose a nice sunny picture from the days where we could all still live in society normally, then publish it on your feed. The deed is done, you scroll a little bit to see your old photos. Ah! The good old days.
Let’s see who’s involved in the underlying personal data processing activities:
Data subject
You, when you publish photos on Instagram
You log in to your Instagram account. When you created it, Facebook/Instagram told you what was the personal data that they intended to collect via the app, and how to exercise your rights. (I won’t blame you if you did not pay attention to it though, their legalese is pretty hardcore). Anyway, you choose a nice photo of you, and publish it to your profile.
In this case, as you’re the original owner of the personal data you are posting on Instagram, you are the data subject.
The data subject is the original owner of the personal data, the person said data renders recognizable. In most countries (and especially in Europe), the data subject should be informed in a clear and understandable manner of what will be done with his personal data,how long and where it will be kept, and if any third party is involved.
In addition, some regulations provide the data subject with additional rights, such as:
- The right to be forgotten (i.e. to have their personal data deleted);
- The right of access to their personal data ;
- The right to object or restrict the processing of their data ;
- The right to portability (i.e. obtain an extraction of their personal data in a reusable format);
- The right to rectify any out-of-date or incorrect personal data.
The data subject is the owner of his personal data, and data collection and processing does not involve a transfer of ownership of said personal data. That’s why these rights exist: for the data subject to make sure that no foul play is involved regarding his data, and to take action if that’s the case.
Data controller
Instagram, who decides what to do with the personal data you provide him.
When you published your photo, Instagram added it to your profile and shared it with a sample of your followers to analyse its potential reach.
In addition, they also collected behavioural metrics to better profile you for their advertising model.
As Instagram is the company that decided to initiate the data collection, decided its scope and associated means, they’re the data controller in this context.
According to the European Commission, a data controller is the company or organisation that ‘determines the purposes for which and the means by which personal data is processed’.
Being the data controller involves multiple responsibilities in terms of data protection, as you must ensure that the data subjects’ rights are respected, and that the personal data they provided you is handled in a secure and compliant manner. Basically, don’t act like Facebook circa 2016.
As a data controller, you must also ensure that any third party that you delegate a personal data processing to is compliant and provides enough data protection guarantees to prevent mishandling of the personal data.
Data processor
Cognizant, the guys mandated by Instagram to check whether or not you published something illegal.
When you post a new photo to your account, Instagram mandates external help from another company, Cognizant. They provide them with means and specific instructions to check if there is anything illegal in the published photos.
In this case, as Cognizant reviews the user photos on behalf of Instagram (who defined the scope and objectives of the intervention), they are acting as data processors.
The EU Commission states that data processors are companies or organisations that process personal data only on behalf of the controller. That means that in the scope of a specific processing, they would not be involved if they were not initially mandated by the data controller to do so.
As they act on behalf of the data controller, the data processors must make sure that their instructions are clearly stated and formalized in a contract, and must provide sufficient guarantees regarding their data protection practices.
If they themselves rely on other data processors (for example, an AWS storage), they should declare them to the data controller.
Knowing if you are acting as a controller or processor requires a use-case assessment, and is especially tricky if you are a business that works with other businesses.
Data Protection Authority
A.k.a. The guys who are mandated to make sure that no foul play is involved regarding your privacy.
If, for example, you discover that some of the photo reviewers at Cognizant are creating copies of photos that they like and keeping them for their own use, you can contact your relevant Data Protection Authority to lodge a complaint regarding this mishandling of your personal data.
The Data Protection Authority will then launch an investigation to assess the situation, and give sanctions to the relevant stakeholders if it is confirmed that there was a misuse of personal data.
Data Protection Authorities (or DPAs), still according from the EU Commission, “are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints.”
They provide guidance for both companies and individuals, and also dish out increasingly heavy fines to businesses that do not respect their applicable privacy regulation(s).
Most of them have dedicated websites and social media channels that provide guidance and support to data subjects and businesses alike. DPA websites I like a lot, regarding GDPR knowledge, is the UK’s ICO website (ico.co.uk) or France’s CNIL (cnil.fr).
Privacy watchdogs
A.k.a the guys who fight for your right to privacy.
There is also a constellation of associations that fight for the people’s right to privacy, and that have been doing so for decades now.
For example, the Electronic Frontier Foundation has a dedicated guidance page full of knowledge and tools.
Privacy watchdogs usually are very data-subject friendly, and their advice is usually targeted towards them rather than towards businesses.
Now that we have covered the main stakeholders of the privacy ecosystem, and that we have presented most of the key definitions, we can finally start going deeper into the subject of privacy and compliance.
The next few articles will cover the main data protection principles that you should be aware of: hope we’ll see you there !
