Understanding GDPR Data Controller in 5 easy steps
We’ve all heard of GDPR but in case you haven’t, it is a piece of legislation enacted by the European Union which strengthens and prevent the misuse of data of EU residents. If you have failed to adequately make your organisation GDPR ready you could be putting your organisation at severe risk of a €20,000,000 fine or 4% of annual global turnover (whichever is greater), as well as the irreparable brand damage a breach would cause.
GDPR in practice raises some really big questions such as Who is liable in the event of a breach? who is the GDPR data controller? who is the GDPR data processor?
1) What is GDPR?
Before we understand the role of a GDPR Data controller we must first understand what GDPR is and in simple terms, GDPR is the General Data Protection Regulation which came into effect on May 25th and forbids the misuse of EU citizens data whether your company is based in the EU or not.
2) Who is the GDPR Data Controller?
In simple terms, the GDPR data controller is the organisation that decides how and why customers personal data is processed. They control the data but do not necessarily hold or process it, however, they are responsible for how it’s used, stored and deleted.
3) What are the GDPR Data Controller’s responsibilities?
Under GDPR Data Controllers are obliged to;
- Protect personal data against compromise or loss by implementing strict technical and organisational measures to secure data.
- Have a legal agreement with your processors that ensure that they only act on your instructions and comply with GDPR.
4) Who is the GDPR Data Processor?
A data processor, on the other hand, is a company or person who processes personal data on behalf of the controller.
This could include something as simple as storing the data on a third party’s server but also includes for example payroll companies, accountants and market research businesses.
5) What are the GDPR Data Processor’s responsibilities?
Under GDPR, data processors have a lot more responsibilities including;
- Appoint a Data Protection Officer, if their business processes sensitive data or ‘big data’
- Responsible for implementing significant security measures
- Maintain a record of all data processing operations under their responsibility
- Inform the data controller(s) immediately of any leaked data
- Become a joint controller for any data processing they carry out beyond the scope of the controller’s instructions
GDPR has changed the way we process and control data and understanding your role as either a data controller, a data processor or both which is not only essential to protect your users but also required by law.