If your business processes personal data in the EU, the General Data Protection Regulation (GDPR) will identify you as either a data controller or a data processor. You might even be both, depending on what you’re doing at any one time.
GDPR defines a data controller as someone who makes decisions about how data is processed. A data processor carries this processing out on the data controller’s behalf. You might be asking yourself a few questions at this point:
- what is personal data?
- what does ‘processing’ personal data mean?
What is personal data?
GDPR defines personal data as anything that identifies an individual, such as someone’s name, their IP address, their payment card details, or anything else that can be used to identify someone.
What is processing?
In the context of GDPR, just think of processing as anything you could possibly do with personal data. If you’ve written down someone’s name, taken someone’s credit card number over the phone, or sent someone an automated email, you’ve processed their personal data.
Responsibilities of the Data Controller
The data controller may process personal data themselves, or they may contract out the processing of some or all personal data to a data processor. GDPR places important responsibilities on the data controller either way. In order to fulfill your ethical duty to respect individual personal privacy, and avoid prosecution and large fines, it’s essential that your business understands and honours its obligations under GDPR.
Write a privacy notice
Writing a privacy notice – or revisiting your existing one – is not only a requirement under the GDPR, but also a great exercise for your business. The process of writing a privacy notice will help you really get to grips with the GDPR and assess whether or not you’re truly compliant.
In essence, a privacy notice should explain:
- why you are allowed to process personal data (your legal basis)
- how you’ll be processing it
- how you’ll store it, and for how long
- who else might see it (including your data processor)
- what you’ll do in the event of a security breach.
Your privacy notice needs to be written in simple language that your customer will understand. Cut out any ‘legalese’.
Appoint a Data Protection Officer
Under GDPR, your business may require a Data Protection Officer if:
- you’re a public body, or providing public services funded mainly by the state
- you engage in large-scale tracking or monitoring of individuals
- you process special category (sensitive) data, or data about criminal offences, on a large scale.
Here are some examples of businesses that may be required to appoint a Data Protection Officer under the GDPR:
- a software company whose mobile app uses location tracking
- a healthcare firm that deals with patient medical records
- a taxi company that collects information about travel activity.
A Data Protection Officer may be someone who is already working in your organisation, but they must be trained to offer expert-level advice about data protection.
Choose Data Processors carefully
As a data controller, your business may need to employ the services of a data processor (or multiple data processors). Under the GDPR, you are accountable for your choice. Here are some examples of data controllers that might use a data processor:
- a travel agent that uses a survey site to gather feedback from its clients
- a law firm that uses an online database to manage case notes
- a marketing company that uses an automated email service for campaigns.
Your business must have a clear contract with its data processor, which informs them of exactly how you want your customers’ data to be looked after. You must be able to demonstrate that you’ve checked that the data processor is compliant with GDPR.
Your data processors might be based outside of the EU. This is only acceptable if you have established that you can legally send personal data overseas. This must be written into your privacy notice.
Responsibilities of the Data Processor
You might be thinking that the data processor has an easier ride under the GDPR. The data controller makes all the decisions – the data processor is just following orders, right? Well, not exactly. The list of responsibilities that a data processor has under the GDPR is shorter. But they are far more accountable now than they were under the previous legislation, the Data Protection Directive, and can be fined just like data controllers.
Duties shared with the Data Controller
Some of the data processor’s duties are shared with the data controller, for example:
- having an in-depth comprehension of the GDPR
- only ever processing personal data lawfully
- assessing whether they require a Data Protection Officer and appointing one if necessary
- always co-operating with and respecting data authorities in whichever Member State they are operating (for example, the Office of the Information Commissioner in the UK).
Always obey the contract
Because a data controller has the final say over the means by which their customers’ data is processed, a clear contract must exist between them and their data processor. The data processor must ensure that the contract they sign is compatible with the GDPR. And once the contract’s agreed, they must stick to it.
The data controller has made specific assurances to its customers about the way that their personal data will be handled. It’s your job to carry this out on their behalf.
Properly vet sub-processors
It might be necessary for data processors to bring in sub-processors (additional data processors) to help them with their task. This is fine, under certain conditions:
- you must have the written permission of your data controller. This might be an ongoing permission which grants you some degree of autonomy, or it might be that you have to gain written permission each time.
- any sub-processors you appoint must be GDPR compliant
- if sub-processors are based overseas, you must check that you and the data controller have sufficient authority to process your customers’ data in this way.
It’s all about accountability and understanding
Whether your business is a data controller or a data processor, you must:
- understand the principles and purpose of the GDPR
- understand your role according to the GDPR
- always process data in a way that is lawful under the GDPR
- be accountable for data privacy and security.
Four Business Solutions
Four Business Solutions helps small and multi-national organisations enrich the way they work. From Supply Chain to Procurement and Contract Management, we have decades of experience helping companies forge ahead in the global market. Our success is built on values like trust, teamwork and vision. We believe that people are at the heart of any business and that Business Process Improvement gives our clients a world-class, professional advantage. If you’d like to meet one of our expert consultants, please call John O’Brien, on 0800 6250 025 to schedule a product demonstration.