If you’re a business owner who is looking to comply with GDPR, then you need to understand the difference between a data controller vs a data processor.
A data controller is responsible for deciding how and why personal data is processed. They must ensure that data is collected lawfully, and that individuals have been given adequate notice about how their data will be used.
A data processor, on the other hand, simply carries out the instructions of the data controller. They are not responsible for making decisions about how or why personal data is processed.
Cutting edge payroll software
- Powerful and easy to use
- HMRC & RTI compliant
- Used by payroll pros
The CRM platform to grow your business
- Great for entrepreneurs
- Powerful data analytics
- Manage sales and data
Powerful web builder and advanced business tools
- Great for startups
- Powerful web page builder
- E-commerce available
Supercharged content planning
- Great for marketing
- Better than lists or sheets
- Manage social media
Create a new website in 10 minutes. Easy.
- Launch your website fast
- Powerful data intuitive
- No coding skills needed
In this article, we will explore the roles a data controller vs a data processor in more detail, and explain why it’s important to understand your responsibilities under GDPR.
What is GDPR?
I’m sure you’ve heard of GDPR by now – it’s been all over the news! But what is it? The General Data Protection Regulation (GDPR) is a new EU data protection law that came into effect on May 25th, 2018. GDPR replaces the 1995 EU Data Protection Directive, and strengthens EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals.
GDPR applies to any company that processes the personal data of EU citizens, regardless of whether the company is based inside or outside of the EU. Companies that process the personal data of EU citizens must comply with GDPR unless they can demonstrate that they meet certain conditions.
What is personal data?
The term “personal data” refers to any information that could be used to identify an individual. This includes, but is not limited to, names, addresses, phone numbers, email addresses, and IP addresses. Under the GDPR, personal data must be:
- Legitimate and necessary for the purposes for which it is being processed
- Accurately and carefully collected
- Processed in a transparent, consistent, and fair manner
- Erased or destroyed where no longer needed and subject to regular monitoring
Organisations that process personal data must take responsibility for ensuring that it is handled in accordance with the GDPR. This includes understanding the difference between a data controller vs data processor, and ensuring that each party understands their roles and responsibilities.
The difference between a data controller vs data processor?
Under GDPR, businesses must appoint a data controller. The data controller is responsible for deciding how and why personal data is processed. Data controllers must ensure that data is collected lawfully, and that individuals have been given adequate notice about how their data will be used.
Data processors, on the other hand, simply carry out the instructions of the data controller. They are not responsible for making decisions about how or why personal data is processed.
It’s important to note that data controllers can be held liable for the actions of data processors. This means that data controllers must carefully select data processors that they can trust to comply with GDPR.
What are the responsibilities of data controllers?
Data controllers have a number of responsibilities under GDPR. They must:
Ensure that personal data is processed lawfully
This means that data controllers must take steps to ensure that data is collected in a fair and transparent manner, and that individuals have been given adequate notice about how their data will be used.
Data controllers must also ensure that data is not processed for longer than is necessary, and that data is kept accurate and up-to-date.
Ensure that individuals have been given adequate notice about how their data will be used
Under GDPR, data controllers must provide individuals with clear and concise information about how their data will be processed. This information must be provided in a transparent and easily accessible fashion, and it must be updated as needed.
Data controllers must also ensure that individuals have the right to access their data, the right to change their data protection settings, and the right to have their data erased.
Take steps to protect personal data from accidental or unauthorised access, destruction, or alteration
This means ensuring that data is properly secured and that only authorised personnel have access to it. Employees must be trained on data security procedures and how to properly handle and store data. Data controllers must also have a data breach response plan in place in case of an incident.
Take steps to ensure that data processors also comply with GDPR
Data processors must ensure that the data they process is GDPR-compliant, and must take steps to protect data from unauthorised access, alteration, or destruction. They must also ensure that data is properly deleted when it is no longer needed.
| As a data controller, you are responsible for ensuring that data processors comply with GDPR. |
|---|
| You should have contractual agreements in place that detail the data processor’s responsibilities, and you should monitor the data processor’s compliance on an ongoing basis. If you become aware of any non-compliance, you must take steps to correct the situation. |
What are the responsibilities of data processors?
The following is a list of responsibilities for data processors under GDPR:
Only process data in accordance with the instructions of the data controller
This means that data processors must adhere to the data protection policies and procedures set out by the data controller. This is essential in order to protect the data of individuals.
Maintain records of data processing activities
This includes details of the data processed, the purposes for which it was processed, and the categories of data subjects. These records must be made available to the data controller upon request.
Take steps to protect personal data from accidental or unauthorised access, destruction, or alteration
The data processor needs to ensure that data is stored securely and encrypted where necessary. They should also put in place security measures to prevent unauthorised access to data.
Notify the data controller of any data security breaches
This includes any unauthorised access to data, destruction of data, or alteration of data. Data processors must also take steps to mitigate the effects of any data security breach.
Why is it important to understand your role under GDPR?
It’s important to understand your role under GDPR so that you can ensure that you are in compliance with the law. If you are a data controller, you must take steps to protect personal data from accidental or unauthorised access, destruction, or alteration. You must also take steps to ensure that data processors also comply with GDPR.
If you are a data processor, you must only process data in accordance with the instructions of the data controller, and you must take steps to protect personal data from accidental or unauthorised access, destruction, or alteration.
Dual roles under GDPR
It’s important to note that data controllers can also be data processors, and vice versa. This means that businesses must take care to comply with both sets of responsibilities.
For example, a website owner who collects email addresses in order to send marketing messages would be considered a data controller. However, if they hired a third-party company to manage their email list, that company would be considered a data processor.
In this example, the website owner would need to take steps to ensure that the data processor they hired was in compliance with GDPR. They would also need to comply with GDPR themselves, as they are ultimately responsible for the data collected on their website.
How to delete data securely
Data controllers and data processors must take steps to ensure that data is deleted safely and securely. This includes ensuring that data is encrypted before it is deleted, and that data is only deleted by authorised personnel.
There are a few different methods you can use to delete data.
When you’re deciding which method to use, you need to consider a few factors. How sensitive is the data? How much data do you have? And how quickly do you need to delete it?
Physical destruction
If the data is highly sensitive, then physical destruction might be your best option. This is because it’s impossible to recover data that has been physically destroyed. However, it can be time-consuming and expensive to destroy large amounts of data.
There are a few different ways you can physically destroy data.
| Shred | Incinerate | Degauss |
| Use a shredder to cut a hard drive into small pieces | Use fire to destroy a hard drive beyond repair | Use a strong magnet to scramble the data on a storage device, thereby destroying it |
Data destruction services can also provide other methods of data destruction, like crushing or pulverising the hard drive. It is important to choose a data destruction service that is certified and compliant with GDPR.
Data erasure
An alternative to physical destruction is data erasure. Data erasure makes it hard for the data to be recovered. This can be done manually or using data erasure software. This is not always the safest option as it can leave traces of data behind.
When data is deleted from a hard drive, it is not immediately removed from the physical device. Instead, the data is marked as free space and can be overwritten by new data. If you want to ensure that data is completely wiped from a hard drive, you need to use a data erasure tool. Data erasure tools write over the data on a hard drive multiple times, making it difficult to recover.
A data destruction company will use data erasure tools to wipe data from hard drives. They have the expertise and equipment to ensure that data is completely destroyed. When you choose a data destruction company, you can be confident that your data will be safe and secure. Data destruction companies also provide certificates of destruction, which can be used as proof that you have taken steps to protect your data.
Anonymisation
Anonymisation, or data anonymisation, is the process of transforming data in such a way that it can no longer be linked with a specific data subject without the use of additional information. This additional information is often referred to as a “key”.
Anonymised data is still valuable for data analysis, research and marketing purposes. It can be used to understand trends, behaviour and preferences of data subjects in a large population.
There are two main types of data anonymisation:
| Pseudonymisation | De-identification |
| Data is replaced with artificial identifiers (e.g., randomly generated numbers) that cannot be linked back to the original data subject without the use of the key. | De-identification: data is irreversibly transformed in such a way that it can no longer be linked back to the original data subject (e.g., through data encryption). |
Both pseudonymisation and de-identification are effective methods of data anonymisation. However, de-identified data is more secure since it cannot be reverse engineered to reveal the original data.
FAQs
A data controller is responsible for deciding how and why personal data is processed. A data processor simply carries out the instructions of the data controller.
Data controllers must ensure that personal data is processed lawfully, and that individuals have been given adequate notice about how their data will be used. Data controllers also have a number of other responsibilities under GDPR.
Data processors must only process data in accordance with the instructions of the data controller, and they must take steps to protect personal data from accidental or unauthorised access, destruction, or alteration.
It’s important to understand your role under GDPR so that you can ensure that you are in compliance with the law. Data controllers have a number of responsibilities under GDPR, and data processors must only process data in accordance with the instructions of the data controller. businesses must take care to comply with both sets of responsibilities if they act as both data controllers and data processors.
If you are a data controller and data processor, you must take steps to protect personal data from accidental or unauthorised access, destruction, or alteration. You must also take steps to ensure that data processors also comply with GDPR. businesses must take care to comply with both sets of responsibilities if they act as both data controllers and data processors.
The role of a data controller is to ensure that personal data is processed lawfully, and that individuals have been given adequate notice about how their data will be used. Data controllers also have a number of other responsibilities under GDPR.
The role of a data processor is to carry out the instructions of the data controller, and to take steps to protect personal data from accidental or unauthorised access, destruction, or alteration. Data processors must only process data in accordance with the instructions of the data controller.
Yes, data controllers can also be data processors. This means that businesses must take care to comply with both sets of responsibilities if they act as both data controllers and data processors.
Yes, data processors can also be data controllers. This means that businesses must take care to comply with both sets of responsibilities if they act as both data controllers and data processors.
Data controllers must ensure that personal data is processed lawfully, and that individuals have been given adequate notice about how their data will be used. Data controllers also have a number of other responsibilities under GDPR.
Data processors must only process data in accordance with the instructions of the data controller, and they must take steps to protect personal data from accidental or unauthorised access, destruction, or alteration.