This article will look at what’s new under GDPR for controllers and processors based on information provided by the ICO.
What’s new under GDPR? – Controllers and processors
Controllers have new data protection obligations under the GDPR. Also, in a change from previous legislation, processors now have statutory obligations in their own right under the GDPR.
Individuals and supervisory authorities (such as the ICO) can hold both controllers and processors to account if they fail to comply with their responsibilities under the GDPR.
The GDPR includes explicit requirements directed at joint controllers.
What are ‘controllers’ and ‘processors’?
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
Processors act on behalf of, and only on the instructions of, the relevant controller.
How do you determine whether you are a controller or processor?
You should be able to differentiate between controllers, joint controllers and processors so you understand which GDPR obligations apply to which organisation.
To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your data processing activities.
If you exercise overall control of the purpose and means of the processing of personal data – ie, you decide what data to process and why – you are a controller.
If you don’t have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data.
What does it mean if you are a controller?
Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s).
Supervisory authorities (such as the ICO) and individuals may take action against a controller regarding a breach of its obligations.
Controllers in the UK must pay the data protection fee, unless they are exempt.
What does it mean if you are a processor?
Processors do not have the same obligations as controllers under the GDPR and do not have to pay a data protection fee. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.
Both supervisory authorities (such as the ICO) and individuals may take action against a processor regarding a breach of those obligations.
What does it mean if you are joint controllers?
Joint controllers must arrange between themselves who will take primary responsibility for complying with GDPR obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals.
However, all joint controllers remain responsible for compliance with the controller obligations under the GDPR. Both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.