Who’s who in GDPR?

Could you confidently explain the difference between a Data Subject, a Data Controller or a Data Processor?

This short blog and its companion, Who Does What in GDPR?, will make it crystal clear as well as helping you understand if your outsourced service providers are putting your business at risk.

 

One thing we’ve got in common

As we go through life, we entrust our personal information to organisations. Sometimes it’s to a supermarket which delivers our online shopping, sometimes to a new employer so they can pay us, sometimes to the government so they can pay benefits or to the NHS so they can supply healthcare services – the list is endless.

Years ago, all data used to be held on paper. Now, the data that we share can be held in many forms including paper, digital, biometric, CCTV images, GPS tracking records and so on.

When we hold data on someone, we call them a Data Subject. It’s a rather impersonal way of saying a living person. Please note that the GDPR does not apply to the data of the deceased.

 

Introducing the Data Controller

A Data Controller is an organisation that receives a Data Subject’s personal data. The Data Controller is a decision-maker in terms of what happens to this data. They are accountable for ensuring that personal data is treated with respect, used correctly, protected from criminals and not shared without the Data Subject’s knowledge or permission.

If an organisation decides which data to collect, where to store it, how long to keep it, when to delete it, who to share it with and why, it’s definitely a Data Controller.

For example, your organisation is a Data Controller if:

  • Your Finance and HR team collect information about employees so you can operate your own payroll
  • Your website collects users’ email addresses so your marketing team can send special offer emails
  • You collect the name and address of a customer to allow you to deliver goods or services to the individual

 

So, what’s a Data Processor?

If you outsource any of your data processing to another organisation, they become a Data Processor. The number of Data Processors you have is likely to increase as your business grows, for example:

  • As you gain more employees, you may outsource your payroll to a third party
  • As you expand into new markets, you may ask an agency to manage your marketing emails
  • As your users grow, you may ask a local IT firm to manage your IT security

 

Wearing two hats

In some situations, an organisation can be both a Data Controller and a Data Processor.

Using ourselves as an example, we’re always been a Data Controller as we collect data in-house in order to run our own payroll. However, the first time a client asked us to manage a project which involved their personal data, we also became a Data Processor.

 

What about a Sub Processor?

A Sub Processor is an organisation that processes data on behalf of the Data Processor. Confused?  Let’s use a simple example to illustrate…

You want to order a book on GDPR from ACME Inc. Once you place your order, ACME becomes the Data Controller and you become the Data Subject.

ACME outsources its deliveries to a logistics company, Bob’s Trucks. When Bob’s Trucks receive your name and address from ACME, they become a Data Processor.

Unfortunately, Bob’s Trucks don’t have a driver in your area. They ask Charlie’s Vans to deliver the book on their behalf. When Charlie’s Vans receive your details from Bob’s Trucks, they become a Sub Processor.

The Data Controller remains accountable for your data at every step in the journey. If a Data Subject has a query with how his or her data is being managed or shared, the communication should always be via the Controller.

 

The role of the Data Protection Officer (DPO)

Some organisations may need to appoint a Data Protection Officer (DPO).

This role requires in-depth knowledge of the GDPR and the UK Data Protection Act (DPA) and has some additional legal responsibilities. Many smaller businesses find that outsourcing this role provides them with the expert knowledge they need. We’re always happy to have no obligation chat to establish if you need a DPO and if our Virtual DPO service can save you money.

 

Need more help?

Now you understand Who’s Who in GDPR, read our blog on Who Does What in GDPR to check you’re doing all you can to boost compliance and put your customers’ minds at rest.

More news

Upcoming events