Data Controllers vs. Processors: Understanding How GDPR Impacts Organizations and Their Third Parties
In the first article of our Insights series on GDPR, we reviewed the basic tenants of the EU’s landmark data privacy regulation, including the history of the rule and what the regulation considers “personal data”. But we barely scratched the surface on how GDPR defines who is responsible for the control, storage and management of that personal data. In this article, we’ll explore specific responsibilities of who GDPR considers “data controllers” and “data processors” and consider how these duties impact organizations who work with and rely on third-party providers to support daily operations.
Let’s start with the definitions. Under GDPR, a data controller is:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
A data processor, on the other hand:
“is the entity (that can be natural or legal person, public authority, agency or other body) which processes personal data on behalf of the controller under the controller’s instructions.”
Unlike the EU Data Protection Directive, which precedes GDPR and under which data controllers maintain sole direct compliance obligations, GDPR stipulates that ultimate responsibility for the security of personal data falls in the hands of both the controllers and processors. Because processors now also face liability for damages (in addition to controllers), there’s added pressure on controllers to appropriately manage third party relationships and, specifically, contracts with third party vendors.
GDPR goes so far as to outline specific items that controllers must include within their contracts with the processors who store and access personal data. While some of these points were originally included under the “Directive” (in which case, if your business was compliant, many areas would already be covered), GDPR has incorporated many new requirements. Under GDPR, contracts should include the following items (NOTE: this list is not comprehensive):
- The type of personal data being processed and the duration of the processing;
- The nature and purpose of the processing;
- The obligations and rights of the data controller;
- A requirement that the processor implement appropriate controls and measures to protect data under GDPR;
- Requirements related to how processors assist controllers in notifying appropriate authorities in the event of a data breach or compromise;
- A right for the controller to audit the processor; and
- A requirement that processors return or delete all personal data at the end of the contract term.
It is imperative that businesses considered data controllers under GDPR evaluate existing and future third-party relationships to determine specific parameters around which vendors are considered processors and how each stores, processes, and protects the personal data of EU persons. Existing contracts with all third parties that process data (e.g. cloud or software-as-a-service vendors, payroll providers, etc.) need to be re-evaluated and re-structured to include the above information and other pertinent details as outlined by GDPR Article 28.
|In the next installment of our Insight series on GDPR, we’ll review the regulation’s definition of “consent” as it relates to the processing and control of data. This is particularly relevant to companies who, for example, solicit personal data via marketing databases or e-commerce websites.|
If you have questions about your business’ compliance requirements with GDPR, please contact the MFA team.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.