Business Technology

GDPR preparation: What's the difference between a data controller and a data processor?

6 min read

11 April 2018

A data controller determines the purpose and means of processing personal data, whereas a data processor is responsible for processing data on behalf of the controller.

With the arrival of GDPR now imminent, the latest article in our GDPR Doctors series sees Neil Larkins, COO of Egress Software Technologies, explain the important differences between the role of a data controller and a data processor in the context of the new rules.

In Real Business’s GDPR Doctors series, legal and tech experts explain all company bosses need to know ahead of the new rules coming into force on 25 May 2018.

Data controllers and data processors are fundamental roles in handling personal data, and both are explicitly and clearly defined within the GDPR. However, company decision makers may still be confused as to whether they need different technologies in place, depending on which category their business falls into.

For example, imagine you run an organisation that handles other people’s money, such as an online sales company. You will have a login and registration system that collects people’s personal data, and you will have systems that manage sales.

Both might be managed by external companies. You are the data controller because you determine what information is needed and why. The external company that actually collects, stores and manages all that data is the data processor.

Importantly, the data processor is acting on your behalf. However, if you store any information at all about your customers, even for the shortest periods of time, then you too are a data processor.

Both the data processor and the data controller have legal responsibilities under the GDPR. The data controller must be able to demonstrate that they comply with a set of principles relating to the processing of personal data and ensure that it is:

  • Processed lawfully, fairly and transparently
  • Collected only for explicit purposes
  • Limited only to what is necessary
  • Accurate and kept up to date
  • Not kept in a form which allows the identification of individuals for any longer than is necessary
  • Processed in a way that ensures its security

Where the data controller employs the services of an external organisation to manage their data – as a data processor – they need to be confident that the data processor has appropriate technology in place to meet all of the legal requirements. Of course, this means that every data processor should be able to provide those assurances.

Importantly, if there are breaches of the GDPR, both the data processor and the data controller are liable.

What does all this mean in terms of whether you will need different technology in place if you are a data controller or a data processor?

Well, a data controller that has absolutely no contact with any data is going to be quite rare. Take the previous example of an online store. It will be necessary to communicate with customers, and some personal information will be needed for this. Both data controllers and data processors need to be sure they have robust systems in place.

An important step in understanding what technology is needed is to audit trail all the data that’s used to understand how it is stored, shared and used. Once you are clear on that, you will be able to see if you need to change any technology used, for example by using encryption for data sharing, changing access rights to some data, or updating mobile technologies such as laptops or phones so that data does not reside on those devices in case of theft or loss.

You may also need to implement systems for audit trailing how and where data is accessed and used. This will be vital in case of any data breach.

Breaches aren’t just about hackers. A breach can also be, for example, sending personal data to an incorrect recipient – in other words, mistakenly sending an email to the wrong person. Without strong audit trailing it will be very difficult to identify when and how this happened.

As the GDPR implementation deadline of 25 May approaches, the important thing is not to panic about all of this. When you come through the other side of the work you will have robust, strong systems in place that protect individual data. Your business will be stronger for it.

GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.

If you have burning GDPR questions that you’d like answered, please send them to editors@realbusiness.co.uk and we’ll get these answered for you.