How Do I Know if I’m a Data Controller or Data Processor?
The impending GDPR operates on a distinction between data controllers and data processors. However, in the real world where complex relationships exist between businesses, such a distinction can be difficult to draw, leading to organisations becoming confused as to what their responsibilities are when it comes to data protection.
To understand the difference between controllers and processors, it is important to first understand what is meant by ‘holding’ personal data and ‘processing’ it. Holding data is relatively self-explanatory: If you possess personal data about others, then you hold personal data. Data processing relates specifically to collecting or manipulating raw data in order to draw meaningful conclusions. For example, if you collected the addresses and household income of residences across the UK and then used the information to categorise the most and least affluent areas, this would be data processing. However, data processing is not limited to this kind of activity and can take many different forms.
In simple terms, a data controller has control over the processing of data, whereas the data processor is the party that actually enacts the process. A data controller decides:
- To collect the personal data in the first place and the legal basis for doing so
- Which items of personal data to collect, ie the content of the data
- The purpose or purposes the data are to be used for
- Which individuals to collect data about
- Whether to disclose the data, and if so, who to
- Whether subject access and other individuals’ rights apply ie the exemptions, and
- How long to retain the data or whether to make non-routine amendments to the data.
A data processor has no say in these decisions, although they may decide:
- What IT systems or other methods to use to collect personal data
- How to store the personal data
- The detail of the security surrounding the personal data
- The means used to transfer the personal data from one organisation to another
- The means used to retrieve personal data about certain individuals
- The method for ensuring a retention schedule is adhered to, and
- The means used to delete or dispose of the data.
Data controllers and processors are not mutually exclusive, a single organisation may both control and process the same set of data. It is important to know which category your organisation falls into (or if it falls into both) before GDPR comes into play on the 25th of May.
Quest can remove the headache and get your company GDPR compliant without the stress. To book a Free Review, call Jonny on 0844 8797286.
We are offering a Disciplinary Workshop to all businesses to give you invaluable knowledge to help with staff management. Book your place here.
Back to News