Are you a data controller or a data processor – and what do you need to do in either capacity to ensure you’re GDPR compliant?
The General Data Protection Regulation (GDPR) requires that businesses are transparent about what personal data they hold on their customers, what they use that data for, and gives customers greater control over whether to allow that data processing to take place.
This starts with a robust and easy to follow Privacy Policy, and ensuring that you have determined the appropriate legal basis for processing your customer data (if they are active customers, it’s likely to be legitimate interests; if they’re prospects, it’s likely to be consent.
This article addresses a further aspect of GDPR: your responsibilities as a data controller and processor.
A data controller refers to the person or people who determine the purpose (why) and means (how) of the processing of personal data.
Any company that collects information about living people is, in essence, a data controller.
A data processor refers to the person or people who are instructed to process personal data on behalf of the controller.
‘Processing’ covers both the storage and use of personal data.
It is possible that your company will act as a data controller and a data processor, but not for the same data processing activity.
If you are a retailer collecting customer data at the point of purchase, and have a customer support team available to assist customers post-purchase, even though that team are technically processing customer data, in the eyes of the Regulation, you’re classed as a data controller in that you chose the mechanism and reason for collecting data. However, the system which stores the data – your CRM / billing system – is a data processor.
An example of a company acting as both a controller and a processor is Esendex; as a provider of business communication tools, we may be acting as a data processor for your business; but Esendex also makes decisions about how we collect and utilise our customer data, and in making those decisions we are the data controller.
Other data processors might include payroll companies, cloud hosting services, data analytics providers and outsourced IT or contact centre services.
What does this mean in practice?
Data Controllers
The best place to start is to map your data processes, and identify all of the internal and external systems that touch personal data – from Google Analytics through to your tax adviser. This should provide you with a list of data processors.
As a data controller, you are responsible for appointing data processors who can provide sufficient guarantees that they’ve implemented technical and organisational measures that meet the requirements of the GDPR.
Some good questions to ask data processors are:
- Where is the data stored?
- What are the data flows?
- Who can access the data?
- Do you have a Data Protection Officer (DPO)?
- Do you inform me if you transfer data to any other processors, or a third country?
- Have you ever experienced a data breach?
- What controls do you have in place to reduce risk?
- Do you have security breach notifications in place?
- Can you provide a description of your security measures?
- What are your processes for deleting data should our agreement come to an end?
Once these questions are answered satisfactorily, you’ll need a written contract when you directly employ a data processor, or if the data processor employs another processor. This should specify what processing activity they are permitted to undertake on your behalf, and commit them to compliance with GDPR. This type of contract is known as a Data Processing Agreement.
Check your existing contracts to ensure that they cover these two points, that you know the answers to the above questions, and that the responses are documented; if not, it’s time to revisit them.
Data Processors
As a data processor, you need to ask yourself the same questions as the above list, and ensure that you:
- Have adequate information security in place
- Keep a record of all processing activities
- Have a process for notifying the controller of any data breaches, and assist the controller in managing the consequences
- Have appointed a Data Protection Officer if one is required (here is a checklist to determine if you need a DPO)
- Cooperate with the relevant authorities in the event of an enquiry
- Comply with EU data transfer rules and data subjects’ rights
- Are able to delete or return all personal data at the request of the controller
- Advise the controller if the nature of their processing request is not compliant with GDPR.
This is not a completely exhaustive list – this article from Bristows LLP provides a greater level of detail – but hopefully it illustrates that you do need to take action to identify your data processing partners, and ensure that they are compliant, ahead of GDPR.
If you’re a customer of Esendex, here’s more information on Esendex’s GDPR compliance, and you’re encouraged to contact your account manager (0345 356 5758) regarding Data Processing Agreements.