One of the questions that raised the most doubts in the organisations working on the EU GDPR implementation was what are the differences between data controller and data processor under GDPR.
“In the scope of the EU GDPR (European General Data Protection Regulation), what is our responsibility in relation to the personal data that our customers handle in the scope of their business activity? I mean, personal data are collected and processed by our customers and we only store it,’’ is something that is commonly asked in the organisations that I have worked with.
In fact, some organisations have no control over the data (they just store it) from their customers. The question is: Within the EU GDPR, what are the responsibilities of these organisations if they store personal data? Are they covered by the new European regulations?
European General Data Protection Regulation (EU GDPR)
This new regulation (EU GDPR) was approved on April 14, 2016, by the European Parliament and the Council of Europe. It will be applied directly in each country, EU or non-EU (which stores European citizens’ personal data), allowing for a consistency of rules between nations on the rights of citizens’ privacy. Read the article: What is the EU GDPR and why is it applicable to the whole world? to find out more.
First, all organisations collect and/or store the personal data of their own employees provided they’re European citizens; therefore, all organisations, EU or non-EU, are responsible for processing this data within the EU GDPR. On the other hand, organisations can store personal data of their direct customers or personal data that their customers collect from natural persons. Within the EU GDPR, is the organisation’s responsibility different depending on whether it collects data directly from data subjects, or not?
Controller vs. Processor
According to Article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, the organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organisations (controller and processor) are responsible for handling the personal data of these customers.
What are the controllers’ responsibilities?
According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
According to Article 24 from the EU GDPR, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Examples of such measures may be to allocate responsibilities for data protection, a data protection impact assessment and a risk mitigation plan, implementation of pseudonymization (the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information), and data minimization in order to meet the requirements of this Regulation and protect the rights of data subjects.
If there are several organisations that share the responsibility for the processing of personal data, the EU GDPR includes the existence of joint controllers. They must determine their respective responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact.
What are the processors’ responsibilities?
According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
This means that if any EU or non-EU company wants to stay in business, as controller or processor, it will have to implement the necessary controls to ensure that they comply with the EU GDPR, because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.”
Does ISO 27001 implementation satisfy EU GDPR requirements?
The implementation of ISO 27001 covers most of the requirements of the EU GDPR; however, some controls should be adapted to include personal data within the Information Security Management System. Read the article Does ISO 27001 implementation satisfy EU GDPR requirements? to find out more.
In addition to what is planned for the implementation of ISO 27001, some measures will have to be included in order for an organisation, controller or processor (both of them need to perform these activities), to ensure compliance with the EU GDPR, such as:
- procedures for ensuring the exercise of the rights of data subjects
- mechanisms for the transfer of data outside the EU
- minimum content of the impact assessment on data protection
- procedures to be followed in case of violation of personal data
All of these measures can be integrated into the Information Security Management System, allowing the guarantee of legal compliance and continuous improvement – even more so if the ISMS and the EU GDPR are aligned.
The organisations covered by the EU GDPR, either controllers or processors, have until May 2018 to implement a set of measures that may impart a drastic change to their way of operating. Not knowing where to start can make this whole process too complex. The implementation of an ISMS may be the missing support that the organisation needs to comply with the EU GDPR.
To learn if you’re compliant with controller and processor obligations, see this free GDPR Readiness Assessment tool.