The responsibility for compliance with GDPR privacy laws and the consequences of non-compliance can vary greatly from one organization to another. Often it is not clear who is responsible for data protection – whether or not they are a “data controller” or “data processor” – but here are some guidelines to help you determine which category your company falls into best to take necessary precautions against breaches or other potential illegalities.
Let’s start by defining what a data controller and a data processor are and the differences between them and joint controllers.
To whom does UK-GDPR apply?
Any business that sells products, goods or services to somebody in the United Kingdom has to follow the regulations improvise and issued by the UK-GDPR. Like GDPR, the UK-GDPR applies to businesses and organisations that process UK citizens and residents data, no matter if they have or not on-premises companies or offices in the United Kingdom. The Data Protection Act defines these measures via 8 principles.
It is now essential for companies to meet UK-GDPR compliance to prevent disruption or penalties they might have to face in data breaches or privacy violations. However, the UK-GDPR applies to every type of business that collects and processes data. However, in some cases, it does not apply to individuals and companies. A few of these measures are real basic technical controls when it comes to storage and transmission of data, i.e. GDPR encryption.
Who does UK-GDPR not apply to?
- Data accumulated for merely personal or household activities, with no association to professional or commercial exercises
- Data collected for Defence or protecting national security
- When it is ordered to be processed by authorities for law enforcement purposes
What is a controller and processor (GDPR)?
Two entities hold individuals’ data, known as the data controller and data processor. The UK-GDPR has rated both of them according to their roles and duties in data processing since not all organisations perform the same personal data processing level.
Therefore, maintaining the functions and requirements of the data controllers and data processors with compliances is essential for businesses and companies offering their services in the United Kingdom. The key objective of inheriting the compliances is to know the functions of the data controllers and data processors.
It is the sole responsibility of the controller to align the data processing model according to the compliances. According to UK-GDPR, the data controller must fulfil the data processing requirements released within the UK-GDPR act. They must incorporate relevant technical and organisational practices and standards to preserve their processed data on data protection principles.
For the data processors, the UK-GDPR has shared the limited requirements to meet the compliance demands.
Data controller vs data processor
Now that UK-GDPR has established its decisions on data controllers and data processors, it is important to understand who they are and how they have been ordered?
What is a data controller (GDPR)?
The definition of data controller according to UK-GDPR is:
‘controller‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Data controllers are the ones who determine the purpose of data processing and make the decision about the processing activities meaning that they are responsible for the processing of personal data.
The data controllers are subject to answer why the data is being collected, what kind of operation or set of functions will be performed over the collected data, how the sensitive data will be stored, retrieved or used? Etc. The controller can be any public or private organisation, legal bodies (e.g., incorporated partnership, incorporated association or public authority) and any individual (e.g., self-employed professional such as. Lawyer, doctor, Independent consultant, etc.)
Let’s understand the data controller, for example.
For instance: Most of the time, organisations rely upon third-party or software to generate and manage the monthly payrolls of employees. They collect personal identification information such as Name, Address, Identity card number, Date of birth, bank details etc., to process the salaries.
In this scenario, the organisation is the data controller since they collect and define employees’ data usage.
What is a joint controller?
The definition of the joint controller according to UK-GDPR is:
Two or more controllers jointly determine the purposes and means of processing; they shall be joint controllers.
Whether two or more controllers process the data together or alone, they will be considered joint controllers if they settle the data processing usage, process and activities.
For instance: Let’s suppose a product-based company has partnered with a research company to examine its new product. The company shares the brief specification of its new product and asks the research company to survey its customers across the UK to get insight into how their customers find their product helpful and how customers think the company should improve. The company leaves the determination of the survey sample size: questionnaires, interview methods, presentation of results etc., on the research company.
In this scenario, Since the research company determines the information collection and processing, i.e., what questions will be asked to the company’s customer, which potential customer will be included in the interview? And How will they likely utilise and store the collected information in the form of a survey? Therefore, it will be considered the joint controller.
Whereas the product-based company will remain as the primary data controller as it directs the survey and determines the purpose of data storage and usage.
Under the UK-GDPR compliance, the joint controller must agree and inform the data subject and exercise the subject rights. Also, the joint controllers have to transparently announce their respective functions and duties to the data subjects.
What is a processor?
UK-GDPR defines the processor as:
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processors can be any company, individual, or legal entity that leads out the processing on behalf of the controller under their authority. While utilising the processors, it is the sole responsibility of the controllers to be the supervisory authorities and take a record of processors engaging the required organisational or technical obligations mentioned in the compliance to ensure data subject’s rights and protection.
As the example mentioned above in the data controller section, since the third-party or the software that generates and manages the payroll on behalf of the organisation performs the activities of developing payroll on the collected data, they are considered the data processor.
The processors are liable to fulfil controllers guidelines and interests instead of violating any of the requirements. However, they can process personal data other than the controller’s instruction when the law demands it.
What is a sub-processor?
The term sub-processors is itself not specified in the UK-GDPR act. Yet, sub-processors are known as processors who perform specific or all data processing activities on behalf of another controller processor.
In the scenario of sub-processors, the UK-GDPR compliance has bound the processor to its obligation. The processors and the sub-processors will follow the same controller and processor set of contracts and conditions.
The sub-processor will be bound to the supervisory authorities of the processor and main controllers for the implementation of appropriate technical and organisational measures to ensure the data subject’s proper privacy and protection and fulfil the processing requirements of the released regulations.
In the worst case, when the sub-processor fails to fulfil the compliance mentioned requirements, then the primary processor will be held accountable to the controller for the performance and failure of another processor, i.e., sub-processor.
Can you be both a data controller and processor?
The answer is YES; you can be a data controller and processor. It is not the nature of the organisation that makes them controllers or processors; instead, it is the determination and nature of processing activities that make the organisation liable to UK-GDPR. Therefore, it is essential to learn what roles and responsibilities the data processor and controllers are befalling to.
Let’s understand the example mentioned earlier for data processors. The third-party service provider or software is the data processor and is liable to the central controller. However, that specific processor (i,e third-party or software) can be a controller to its employee or internal company environment as in that case, they will be responsible for directing their employees to generate the payroll or other processing activities.
The processor, who processes the controller data in its internal environment with some rules and conditions and shares the controller employees’ data with its employees following some instructions, can also be a controller.
Nevertheless, when you work as a controller and processor, you must endure the separation of data processing capacity as a controller and processor. Under the UK-GDPR compliance, both data controller and processor have obligations that they must fulfil. With their responsibilities complement each other, businesses need to understand the critical difference between them and ensure they stand to avoid violating the rules and huge penalties.
Cyphere helps businesses of all shapes and sizes to protect their sensitive data through data privacy, security compliance and penetration testing. Get in touch with our compliances experts to discuss your privacy concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.