In this video, Mandy Huth talks about data controllers and data processors under GDPR. Explore the tasks that a data controller must manage and the responsibilities of a data processor.
- [Instructor] There are two primary groups of organizations covered under GDPR in terms of processing data, data controllers and data processors. Data controllers have responsibility for control over personal data. They are, in effect, the data owners. They have ultimate accountability for the safety of that data. Some of the tasks that a data controller is responsible for is to insure they have compliance. They do this by processing personal data fairly.
Those organizations must obtain data fairly and keep it only for its identified purpose. The data controllers must keep it safe and they must manage any processors they may use. Data processors are engaged by controllers to obtain, analyze, and store data on the controller's behalf. You can think of them as third party vendors, such as a managed service, or a software product. Data processors must act exactly as they are instructed by controllers.
They must protect the data as well. Processors must also obtain written permission to use any subcontractors in their data processing requirements. Processors must also contribute to any compliance audits that may happen for the data. When we look at them side by side, you can see that the data controller is the owner of the data, and the processor must follow the controller's instructions. The data controller is responsible to EU citizens, whereas the data processor is responsible to only the controller.
The data controller must have technical measures and processes in place, but the data processor must commit to those security measures to protect the data. Controllers and processors should leverage contracts to commit to the appropriate security measures and understandings. There will be penalties for broken contractual agreements. Finally, controllers do have the right to inspect the premises of any data processor. Let's go through an example using a fictitious company called Explore California.
If Explore California has a set of employees, and they are keeping personal data as part of their employment contract, Explore California becomes the data controller. If that company were to use an HR software provider to process and store the personal data, that HR provider becomes the data processor. The contract to outline the respective rules and responsibilities would outline what data Explore California is responsible for, and what the HR software provider is allowed to do as they process that data.
Understanding if an organization is a controller or processor, and in some cases, maybe both, helps that organization understand their responsibilities with the data.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Define the objectives of GDPR relating to the personal privacy of citizens.
- Determine the responsibilities of data protection officers under GDPR.
- Identify the rights of citizens in the event of a data breach.
- Review the steps that must be taken in the event of a data breach.
- Describe the notification process in the event of a data breach.