Data processor vs. data controller

The General Data Protection Regulation (GDPR) was the catalyst for numerous changes in records and information management (RIM) and beyond. The implementation of GDPR sparked a conversation around the roles of the data processor and the data controller. GDPR also encouraged organizations to clearly define these roles, because it applied legal obligations to data processors for the first time.

Especially now that GDPR has affected these roles, organizations need to understand them, their similarities and the differences, and their relationship.

The roles of data processors and data controllers are intimately related. According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller's behalf.

Data controller: purpose and means of processing data

One of the reasons the distinction between the roles is so important is compliance. The need for compliance has also caused the roles to evolve since the implementation of GDPR. In most cases, GDPR treats the controller as the main party responsible for consent and governing access. Controllers can make more independent decisions, but they are at fault if something goes awry. In GDPR and other privacy laws, the data controller is most responsible for protecting the privacy of and rights to the data.

According to Article 5 from the EU GDPR, the controller is responsible for the lawfulness, fairness and transparency of information. Data controllers are also required to protect accuracy, storage limitation, and the confidentiality of personal data. This means that data controllers should only choose data processors that comply with GDPR, to avoid fines and penalties.

Though a data controller can process collected data using its own procedures, in some cases a controller will work with a third party or another service to analyze data. For example, a payroll service provider is a third-party data controller because it specifies exactly what to do with payroll.

Consequences of non-compliance to GDPR are significant, with fines of up to 20 million euros or 4% of global turnover (whichever is higher) plus other sanctions.

- PwC

Data processor: maintain a record of activity

It is not always easy to ascertain what counts as a data processor. Data processors typically include places like law firms, doctors' offices and accounting firms. A processor is required to maintain a record of data processing activities. A good rule of thumb is that if an organization must follow data and privacy orders and instructions, then it's a data processor. Organizations that shred or store information may also be on the processor side.

Typically, processors can and should attempt to transfer responsibility associated with data risk to third-party providers. The main way that GDPR has changed the processors' job is to enumerate their duties within the rules and regulations of GDPR — meaning they can also be strictly enforced.

The gray area

Post-GDPR, it's also become evident that some organizations don't fall clearly into one role or the other. Organizations such as courier companies are in the gray area because they aren't analyzing data specific to individuals.

If more than one organization shares the responsibility for the processing of personal information, then there may be a case for joint controllers. Respective responsibilities would have to be clearly defined, and processors would serve as the main point of contact.

Processors and controllers have different roles and responsibilities under GDPR, so it's important that the roles are understood and correctly classified. Identifying how each serves your organization helps protect data and ensure compliance.