Data Controllers vs. Processors: Understanding How GDPR Impacts Organizations and Their Third Parties

In the first article of our Insights series on GDPR, we reviewed the basic tenants of the EU’s landmark data privacy regulation, including the history of the rule and what the regulation considers “personal data”. But we barely scratched the surface on how GDPR defines who is responsible for the control, storage and management of that personal data. In this article, we’ll explore specific responsibilities of who GDPR considers “data controllers” and “data processors” and consider how these duties impact organizations who work with and rely on third-party providers to support daily operations.

Let’s start with the definitions. Under GDPR, a data controller is:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”

A data processor, on the other hand:

“is the entity (that can be natural or legal person, public authority, agency or other body) which processes personal data on behalf of the controller under the controller’s instructions.”

Unlike the EU Data Protection Directive, which precedes GDPR and under which data controllers maintain sole direct compliance obligations, GDPR stipulates that ultimate responsibility for the security of personal data falls in the hands of both the controllers and processors. Because processors now also face liability for damages (in addition to controllers), there’s added pressure on controllers to appropriately manage third party relationships and, specifically, contracts with third party vendors.

GDPR goes so far as to outline specific items that controllers must include within their contracts with the processors who store and access personal data. While some of these points were originally included under the “Directive” (in which case, if your business was compliant, many areas would already be covered), GDPR has incorporated many new requirements. Under GDPR, contracts should include the following items (NOTE: this list is not comprehensive):

  • The type of personal data being processed and the duration of the processing;
  • The nature and purpose of the processing;
  • The obligations and rights of the data controller;
  • A requirement that the processor implement appropriate controls and measures to protect data under GDPR;
  • Requirements related to how processors assist controllers in notifying appropriate authorities in the event of a data breach or compromise;
  • A right for the controller to audit the processor; and
  • A requirement that processors return or delete all personal data at the end of the contract term.

It is imperative that businesses considered data controllers under GDPR evaluate existing and future third-party relationships to determine specific parameters around which vendors are considered processors and how each stores, processes, and protects the personal data of EU persons. Existing contracts with all third parties that process data (e.g. cloud or software-as-a-service vendors, payroll providers, etc.) need to be re-evaluated and re-structured to include the above information and other pertinent details as outlined by GDPR Article 28.

In the next installment of our Insight series on GDPR, we’ll review the regulation’s definition of “consent” as it relates to the processing and control of data. This is particularly relevant to companies who, for example, solicit personal data via marketing databases or e-commerce websites.

If you have questions about your business’ compliance requirements with GDPR, please contact the MFA team.

Contact Us

Michelle Mackey
Related posts

Cybersecurity: Key Trends and Recommendations

While all organizations are potential targets of cyber-attacks, the industries which possess the most valuable…

Read More

Is Cybersecurity Part of Your Fiduciary Duty?

We’ve all received suspicious-looking emails asking us to provide personal information to redeem a prize…

Read More