Data Protection Roles Under GDPR: What You Need to Know.
One of the key things to understand to be able to comply with your data protection obligations is what is your data protection role. Your role will dictate your responsibility for data protection compliance.
Data Controller
The data controller determines the purposes and means of processing personal information. They decide what to collect, how it will be used, how long it will be stored, how to destroy it and provide privacy information to the individuals whose personal information they collect. Usually the data controller is the organisation collecting the information. Other data controller responsibilities include:
- Ensuring GDPR compliance
- Implementing appropriate security measures
- Maintaining records of processing activities
- Conducting data protection impact assessments when necessary
Data Processor
The data processor only processes personal information on behalf of a data controller. They only use the personal information in ways that they are instructed to by the data controller they are working for. Data processors are usually third-party service provider, examples include IT support service, payroll providers, Microsoft Office, Dropbox, Accounting software. Processors must:
- Act only on documented instructions from the controller
- Ensure the security of the data they process
- Assist the controller in meeting GDPR obligations
- Have a written agreement with the data controller in place.
Sub-processor
A sub-processor is a third party engaged by a data processor to assist in fulfilling its data processing obligations to the data controller. A sub-processor will work on the personal information of a data controller but be instructed by a data processor. Key points include:
- Sub-processors must be appointed only with the prior written authorisation of the data controller
- The data processor remains fully liable to the controller for the performance of the sub-processor’s obligations
- Sub-processors are subject to the same data protection obligations as set out in the contract between the controller and the processor.
Joint Controllers
Joint controllers are where two or more data controllers jointly determine the purposes and means of processing. The data controllers will have access to the same personal information and may use it for different purposes. Together the joint controllers agree how the personal information will be collected, stored and used. Some key points to consider are:
- Joint controllers must determine their respective responsibilities for compliance with GDPR obligations in a transparent manner
- They need to have an arrangement in place that duly reflects their roles and relationships vis-à-vis data subjects
- The essence of this arrangement must be made available to data subjects
- Regardless of the arrangement, data subjects may exercise their rights against each of the controllers.
Understanding your data protection role will help with creating the right documentation to support the security and compliance of the personal information collected. It can sometimes be difficult to understand the role you (or your organisation) has especially when there are multiple parties or intricate data processing chains.
If you are stuck and don’t know what your data protection role is, you can book an introductory call with us here to help you go through it.