GDPR definition of Data Controller
GDPR defines “Data Controller” as a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of PII. What does it mean to determine the purposes and means of processing? Determining the means refers to the factual influence that the controller has over the processing operation. The following questions should be asked to determine whether influence exists:
- Why is the processing taking place?
- Who initiated the processing?
- Who benefits from the processing?
Responsibilities of the Data Controller
The Data Controller has the primary responsibility for ensuring compliance with GDPR. If you are the Data Controller, you are responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in compliance with this privacy law. These measures should take into account the following:
- Nature, scope, context, and purposes of the processing; and
- The risks of varying likelihood and severity for the rights and freedoms of natural persons due to your processing.
You can determine the risks inherent to the processing of PII by performing a thorough risk assessment. You also hold the responsibility for ensuring that the privacy rights of data subjects are protected and respected and that your data processing operations comply with GDPR.
GDPR definition of the Data Processor
GDPR defines a Data Processor as a natural or legal person, public authority, agency or other body which processes PII on behalf of the controller. Remember that processors still have to meet certain requirements under GDPR even if they are not definiding why and how that PII is processed. Data processors act in the interest of the data controller, meaning that the processor is serving the controller’s interest by carrying out a specific task and is following the instructions set out by the controller, at least with regard to the purpose and essential means of the data processing.
Responsibilities of the Data Processor
Data Processors have the following responsibilities under GDPR:
- Process PII in accordance with the instructions provided by the Data Controller;
- Receive the consent of the Data Controller prior to using any subcontractors;
- Have a contract with the Data Controller;
- Demonstrate compliance with the requirements of GDPR; and
- Implement appropriate security measures.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.