The data controller is the company or person who has the power to determine what happens to your data.
In many countries, the “possessor” of data is the company that collected it. However, in other places, like the European Union, the data “possessor” can be a government agency or some other entity.
The data controller determines the decisions about the purposes and procedures of how and why a company/website will use the data. Typically, this is the owner or manager of the website. If you have a website, you need to be GDPR compliant. There are distinct steps you must take to remain in compliance with the new regulations, including those required by the EU.
The data controller is the person or company that determines what purposes for which and how the data will be processed. Therefore, if your company decides ‘why’ and ‘how’ the data should be processed, it is the data controller.
As a data controller, an individual or organisation is responsible for ensuring your processing complies with the General Data Protection Regulation (GDPR).
This includes ensuring all data processed on your behalf is adequate, accurate, timely and secure.
Obligations of controllers: You (the individual controllers) need to agree who will fulfil specific controller obligations per GDPR as each controller is responsible for compliance with all the GDPR responsibilities.
Article 26 states that if the parties jointly determine the purpose and means of processing, both are deemed joint controllers. The GDPR doesn’t go into further detail on this process and only mentions it in passing in Articles 30 and 36.
The clauses in Article 26 (GDPR) on joint controllership are very short, but they have generated much discussion and uncertainty for organisations.
The concept of joint controllership is not particularly new, but its post-GDPR application in the modern data processing ecosystem is complex. Clarifying how parties are deemed joint controllers defines their respective compliance responsibilities and shared liability regarding individuals and data protection authorities.
An entity/organisation can be a data controller, or a data processor, or both. The same organisation can be both a data controller and a data processor. For example, if our analytics provider runs a customer’s data through its systems, the provider will be the processor of that data.
However, the analytics provider may hold any number of other data sets, perhaps which it uses in its analytics tools. If the analytics provider is entitled to determine how that additional data is used, it will be the controller of that data.
Your GDPR obligations will depend on whether you are a controller, processor or joint controllers. Therefore, it’s vital you carefully consider your role and responsibilities regarding your data processing activities to determine whether you are a controller, a processor or joint controllers.
Even if you aren’t directly involved in collecting any data, you are still potentially liable for non-compliance with the GDPR. Therefore, you are responsible for ensuring you demonstrate compliance with the Regulation’s data protection principles.
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.
Information Security Manager, Honeysuckle Health
The General Data Protection Regulation distinguishes between a ‘data controller’ and a ‘data processor’ in the UK.
This helps to identify that not all organisations involved in the processing of personal data have the same degree of responsibility. The UK GDPR defines these terms as:
The person or organisation that determines ‘why’ and ‘how’ personal data should be processed is known as the data controller.
Suppose a company processes personal data to help a specific individual (like an employee) carry out their duties. In that case, that employee is acting as a data processor.
A ‘data processor’ is any business or individual who processes personal data on behalf of another. Summarised, they are an agent for the data controller.
The six core principles of the general data protection regime are laid out in article 5 of the UK GDPR outline:
The first principle of privacy is reasonably self-evident. An organisation should ensure its data collection practices are legal and don’t hide anything from its data subjects. To comply, as a data controller, you need to thoroughly understand the GDPR and its rules for data collection. In addition, you should publish your privacy policy stating exactly what data you collect and why you’re collecting it.
Organisations should limit the amount of personal data they collect to what is necessary to fulfil their purposes. They should also ensure that the data they collect is accurate, up-to-date, and not kept for longer than is required to meet those purposes. A data controller will be given more leeway if your processing is done for archival, public interest, scientific, historical or statistical purposes.
An organisation must only process personal data necessary to achieve its purpose. This has two significant benefits. In case that a data breach occurs, an individual will only have access to a small amount of data. It’s also easier to keep data accurate.
Data accuracy is essential to data privacy. The GDPR asserts that “every reasonable step” must be taken to correct, delete or destroy any data that is not accurate or complete. Individuals have the right to request inaccurate or incomplete data to be corrected or updated within 30 days. However, it may be impossible to correct or update the data in other cases, and the data may need to be removed.
All organisations must delete personal data when it’s no longer necessary. How long should an organisation retain customer data? It varies between industries and the reasons that the data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
GDPR requires that personal data be secured. Data should be protected against loss, destruction, or damage. It should also be protected against unauthorised processing and against accidental loss, using appropriate technical or organisational measures. GDPR is deliberately vague about what organisations should do because technological and organisational best practices are constantly changing.
Download your free guide
to streamlining your Infosec
The below checklist will help you figure out what to do if you’re a data controller.
Your business has completed an information audit to find out where the data in your business is located.
Your business has documented and identified your lawful bases for processing data.
The UK General Data Protection Regulation sets a very high standard for consent. However, you don’t always need consent. In some cases, offering people genuine choice and control over how you use their data enhances your reputation and creates more trust. The GDPR builds on the 1998 Act standard of consent in several areas and contains more detail about what constitutes valid consent and other lawful bases for processing people’s data.
You must have a lawful basis for processing a minor’s personal data. If you depend on consent as the lawful basis for processing data and you are offering online services to children, you must make reasonable efforts to verify that anyone giving their own consent is old enough to do so. Therefore, you will need to ensure that anyone providing their consent to you is over the age of 13.
If you provide an online service for children under the age of 13, you must first get the consent of whoever holds parental responsibility for the child. You must then use reasonable efforts to verify that the person giving consent for the child does have parental responsibility.
If you must process any kind of data to protect the interests of an individual, your business needs to document the circumstances where it will be relevant and inform those individuals where necessary.
If you rely on legitimate interests as the lawful basis for processing, your business has demonstrated that it has considered and protected individuals’ rights and interests.
All organisations or businesses that process any personal information need to pay a fee to the ICO unless they are exempt.
Book a tailored hands-on session based on your needs and goals.
To be safe, always assume that everything you store about a customer is personal data and ensure you comply with the law/Data Protection Act when it comes to storing and processing that data. Ensure your customers’ personal data processing is secure, compliant with data privacy regulations and that you erase it promptly when it is no longer needed.
It is essential to consider pseudonymising and/or encrypting personal data when it is a particular category of personal data. To do so, replace identifying information with “artificial identifiers”. This will ensure the personal data remains secure.
Although it is mentioned 15 times in the GDPR, pseudonymisation alone is not enough; it has its limitations, so encryption is also mentioned in the GDPR.
Encryption scrambles or encodes information by replacing it with something else. Pseudonymisation permits anyone with access to the data in your organisation to view that data set, encryption on the other hand allows only “approved” users to access the complete data set.
It is possible to use both pseudonymisation and encryption at the same time or separately under GDPR.
The UK GDPR requires you to designate a Data Protection Officer (DPO). This DPO is responsible for ensuring your organisation complies with the new regulations. They will also work with you on any necessary changes to your data management procedures.
Data Protection Officers assist you in monitoring your compliance with data protection laws and providing advice on Data Protection Impact Assessments (DPIAs). DPOs also act as a contact point for data subjects and the ICO. A DPO is someone who is already employed by your company, or maybe someone who has no prior connection to your business at all.
The DPO must be independent, an expert in data protection, adequately funded, and report to the highest management level. Several organisations can appoint a single DPO in some cases.
One of the fundamental principles of the UK GDPR is that you must secure the processing of personal data by using appropriate organisational measures. This is the ‘security principle’.
You must take reasonable measures designed to ensure the confidentiality, integrity and availability of your systems and services and the personal data you process within them.
As you can see above, the financial penalties for breaking GDPR is not cheap.
There are various steps you can take to make your company compliant:
Remote or flexible working arrangements are among the most important factors when looking for a job. Most employers don’t have a formal remote work policy, despite the increasing number of companies that offer remote job opportunities. This leaves you vulnerable.
All businesses/organisations should have a robust remote work policy in place. It will help to guide the operational model of your business.
It is also essential for remote developers to understand how to gather and access data in a GDPR compliant manner.
Find ways to reinforce your work from home policy with employee training and awareness sessions.
A tailored hands-on session based on your needs and goals
