Data controllers and data processors under GDPR
Most companies can be classed as a data controller, even if the only data they possess is that of its employees.
The data controller is responsible for determining the purpose of handling personal data, and why and how it is processed.
The data processor processes this personal data on behalf of the data controller.
If there is more than one data controller determining the purpose of the same personal data, they are joint controllers. However, if they determine a different purpose for the same personal data, they are not classed as joint controllers.
Data controllers under GDPR
Companies must be compliant with the GDPR, and they can do this by making data controllers accountable and accountable for the data processors they use.
As a controller, you must ensure you are compliant with the six principles relating to the processing of personal data.
Controllers must demonstrate compliance, and doing this has the following responsibilities:
→ implementation of technical measures – these measures will generally include encryption, regular security reviews, back-up data facilities and regular testing of back-up plans.
→ enforcing privacy policies – this could relate to the data processors involved internally and externally, by checking and updating agreements with third parties, and monitoring third party privacy policies
Data controllers under GDPR
→ staff training – an example of this would be to make sure all employees are aware of and follow the company’s policies and procedures regarding confidentiality.
→ provide evidence of compliance – an example of this would be to keep records of processing activities, and having a dedicated data protection officer helps to demonstrate compliance.
→ in the event of a data breach – reporting it within 72 hours to the supervisory authority
→ data minimisation – this means holding and processing the data necessary for its purpose
→ enable GDPR data protection design and default principles
Data processors under GDPR
Data processors also have to be compliant with the GDPR.
They too can face direct enforcement actions or penalties for failure to comply with GDPR.
It is important that when a data controller uses the services of a data processor that they have a contractual agreement which includes:
Data processors under GDPR
→ there must be a contract or another approved legal basis between both parties
→ they must act solely on the instructions of the data controllers
→ once approval has been gained, they must assist controllers
→ they must meet any data security obligations
→ all data must be kept confidential
→ they must provide all evidence to the data controller of gdpr compliance when necessary
→ they must follow restrictions on sub-processing
→ all data must be returned or erased at the end of the working process.
Data processors under GDPR
If the data processor fails to comply with GDPR, it is the data controller who takes responsibility for this. Data processors may also be responsible for any data breaches.
However, the data processor must comply with requirements for
→ record keeping
→ the appointment of a data protection officer
→ reporting data breaches
→ security measures
Compliance deadlines and penalties
Deadlines
Failure by your company to comply with GDPR legislation can result in sanctions ranging from written warnings to heavy fines.
One way to avoid such penalties can be to meet compliance deadlines.
Companies can comply by responding to requests regarding personal data promptly and efficiently.
In the event a data subject requests access to the data your company holds on them, it is important to respond to them without delay.
At the very latest, you should respond within a month unless such requests are complex, then your company can extend this period by up to two months.
Compliance deadlines and penalties
You must inform the subject of this extension from the date you requested the extension along with an explanation for doing so.
If information regarding personal data is incomplete or inaccurate, a data subject can request this be rectified.
Again your company must respond to this without delay and at the latest within a month.
This request, however, can be denied if it’s deemed unfounded or excessive.