OneDPO

Role of Data Controller and Data Processor

Role of Data controller and data processor

Last year, the General Data Protection Regulation (GDPR) entered into force and included rules for the automatic processing of data by the controllers and processors. This blog clearly explains the role of the data controller and data processor within an organization.

How GDPR Defines Personal Data?

The General Data Protection Regulation (GDPR) has been the most comprehensive data protection law to date. According to the GDPR, personal data is any information related to an identifiable person or data subject. The personal information includes name, location, the ID number of an entity, and special category information consists of the physiological, genetic, and social identity of the person. These data must be controlled and processed by the data controllers and data processors.

Definitions of Controller and Processor

A data controller is a natural or legal person, public authority, an agency which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processors process personal data on behalf of the controller.

Controller v/s Processor

For example: If you own a website which collects name, email address, and other personal information of the customers, the data controller decides on with whom the data has to be shared, and the data processor decides on how to the shared data can be used effectively.

Responsibilities of the Controllers

The controller shall be responsible for demonstrating compliance with the principles relating to the processing of personal data. Data controllers need to establish a legal precedent for collecting the data and create a privacy policy that outlines the purpose of data collection and the entities with whom the data is shared.

If a data deletion requests arrive to delete a particular record, the controller is responsible for initiating the request and should instruct the processor to remove the data from their servers. In the case of a joint controller, he is expected to determine their respective controller responsibilities by agreement and provide the content of this agreement to the data subjects.

Data Controllers also need to take steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing.

Responsibilities of the Processors

The data processor will have to implement the necessary controls to ensure that they comply with the privacy laws because the fines can be applied to both controllers and processors. The data processor shall also be responsible for storing the records and maintaining a record of data processing activities.

The processor has to enable and contribute to compliance audits conducted by the controller or a representative of the controller. Processors will also need to review existing data processing agreements to ensure that they have met their compliance obligations and inform the controller if something in the terms infringes on the privacy law.

Who is Responsible in Case of a Data Breach?

When a processor finds a security breach, they must notify the relevant controllers impacted by the breach. In turn, Controllers will have to record all the data breaches and must inform the Supervisory Authority and the data subject. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach.

To reduce the risk, controllers should carry out the data risk assessment with the help of processors regularly. Each risk assessment must describe the purpose of the process and evaluate the risks.

Is Appointing a DPO Compulsory?

Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data. A DPO’s role is to:

  • Advise the organization about its role in data protection.
  • Help with impact assessments.
  • Work with relevant Supervisory Authorities.

Conclusion

The distinction between controller and processor and the obligations that attach to each under the GDPR are sometimes tricky, but it is always vital. Ensuring that you meet those principles and standards of data protection is an urgent priority in protecting you or your business from potential liability under the GDPR.