The General Data Protection Regulation (GDPR) will have global consequences and will influence businesses in every sector. Despite being a European regulation, every business and public body that process EU residents' personal data, regardless of its geographical location, is affected by the law.
In order to better understand who is affected by the GDPR and to what extent, this article will clarify how organisations dealing with personal data are classified by the law.
To recognise different degrees of responsibility, the GDPR distinguishes between two roles: data controller and data processor.
Data Controller
The controller is the organisation, person or public authority which decides the functions and methods of the personal data processing.
Controllers are fully responsible for complying with the GDPR and demonstrating they follow its principles. This means controllers have to collect personal data limited to what is necessary, make sure data is accurate, up to date and in a form that ensures protection and allows identification of the data subject. In addition, controllers are responsible for obtaining consent from the data subject and keep track of it.
So, if your business collects, processes and/or stores information about any indvididual who is an EU citizen, during the course of your business operations, you are considered a data controller.
Data Processor
The processor is the organisation, person or public authority which processes personal data on behalf of the data controller (e.g. SaaS products, cloud applications etc.).
When the controller appoints a processor to carry out the data processing, it must comply with the GDPR. The partnership must be established by a binding agreement stating that the processor must only act on the controllersโ instructions, implement measures to assist the controller in adhering to the GDPR and ensure that all employees authorised to process data have committed to confidentiality.
Processors will also need to provide sufficient guarantees that the requirements of the GDPR are met and ensure the protection of the data subject rights. Additionally, the processor cannot subcontract another processor without the controller's authorisation.
In conclusion, it is important to identify which role your organisation plays in the data processing. If you are the data controller and rely on a third party for processing data you will need to make sure you only collaborate with GDPR-compliant companies. [1]
[1] http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Claimable is committed to helping our customers comply with the GDPR and, as a data processor, we areย committed to full GDPR-compliance by May 2018.