How Do I Know if I’m a Data Controller or Data Processor?
The impending GDPR operates on a distinction between data controllers and data processors. However, in the real world where complex relationships exist between businesses, such a distinction can be difficult to draw, leading to organisations becoming confused as to what their responsibilities are when it comes to data protection.
To understand the difference between controllers and processors, it is important to first understand what is meant by ‘holding’ personal data and ‘processing’ it. Holding data is relatively self-explanatory: If you possess personal data about others, then you hold personal data. Data processing relates specifically to collecting or manipulating raw data in order to draw meaningful conclusions. For example, if you collected the addresses and household income of residences across the UK and then used the information to categorise the most and least affluent areas, this would be data processing. However, data processing is not limited to this kind of activity and can take many different forms.
In simple terms, a data controller has control over the processing of data, whereas the data processor is the party that actually enacts the process. A data controller decides:
To collect the personal data in the first place and the legal basis for doing so
Which items of personal data to collect, ie the content of the data
The purpose or purposes the data are to be used for
Which individuals to collect data about
Whether to disclose the data, and if so, who to
Whether subject access and other individuals’ rights apply ie the exemptions, and
How long to retain the data or whether to make non-routine amendments to the data.
A data processor has no say in these decisions, although they may decide:
What IT systems or other methods to use to collect personal data
How to store the personal data
The detail of the security surrounding the personal data
The means used to transfer the personal data from one organisation to another
The means used to retrieve personal data about certain individuals
The method for ensuring a retention schedule is adhered to, and
The means used to delete or dispose of the data.
Data controllers and processors are not mutually exclusive, a single organisation may both control and process the same set of data. It is important to know which category your organisation falls into (or if it falls into both).
Quest can remove the headache and get your company GDPR compliant without the stress. To book a free review, call on 0844 8797286.
Back to News