The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the significant increase of data breach scandals from tech giants, and in part because of the unprecedented media attention given to the enactment of data privacy regimes (such as the EU General Data Protection Regulation), nowadays every organization who possesses any type of personal data is (and should) be concerned with data privacy management. Living in times when information is the most valuable asset, as the means of identifying and targeting audiences, and at a time when access to information is unprecedented both in massiveness and ease, the response from cybersecurity international actors and experts has been also fairly substantial. Part of these efforts is also the newly published ISO/IEC 27701, which is an international standard providing guidelines for the implementation, maintenance and continual improvement of a Privacy Information Management System.
What is a Data Controller?
There are multiple national and federal regulations and laws that denote and define the term “Data Controller”. During the 90s a handful of developed countries developed and implemented data protection regulations as a response to the global scale that the internet was taking. But the regulation that truly popularized the term “data controller” was the GDPR. As a legal necessity to define the scopes and limits of Data Controllers, Article 4 of the GDPR states:
“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
That is to say that the data controller is the entity –be it a person or organization or a number of them – that decides on the “how” and “why” the data is collected. The GDPR considers the data controller as the primary party responsible for the most important aspects of personal data.
The data collector responsibilities are the management of:
- the collection of the data subjects’ consent;
- revoke requests from data subjects;
- the accessibility of the information from the data subjects based on the right to information;
- the permission and unequivocal statement of the reason of the collection of the data.
The data controller is almost in all cases held responsible for data breaches or unauthorized access and noncompliance.
What is a Data Processor?
Right next to the definition of “controller”, in point 8 of Article 4, the GDPR defines the meaning of “processor”:
“‘’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
In comparison to previous data privacy regulations and laws, the GDPR expanded the responsibilities of data processors and increased the number of dimensions where they are to be held accountable.
Article 28 of the regulation states: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
What this means is that, referring to the point made above about the collector being the principal responsible party, the controller must choose a processor which is fully compliant with the GDPR. The only way that processors can prove their compliance with the GDPR is through independent third party audits, assessments and certification. It is also very important to mention that the third party itself should be accredited.
The Difference Between Data Controller and Processor
The difference between the controller and the processor is straight forward: the former collects the information and provides the reason and means for it, and the latter is a service provider to the controller, because it processes the data on the controller’s behalf.
Let’s take an example:
For marketing purposes, company A collects information from subjects (e.g. clients, users, partners, and so on) and defines the reason of collecting it, the way of collecting it, makes sure to inform the subjects accordingly and respond to their requests on the basis of the principle of the “right to information” (say, on the kind of data that company A possesses) and manages the requests for revocation of definitive deletion of the information upon the request of a data subject. Company A contracts company B, which is a marketing e-mail company which also serves as a customer communication platform. Company A, of course, has to make sure that Company B is compliant with the GDPR.
So we have a situation where company A collects the information for clearly specified reasons, and company B sends out mass-reaching e-mails on behalf of company A to customers after they have clearly agreed to this information transaction. Company A is the controller and company B is the processor in this case. This illustration happens to be a very common configuration of the relationship of a controller and processor.
Difference Between Data Protection and Data Privacy
The main difference between data protection and data privacy is the domains that they appertain to. Data protection is a cybersecurity matter and has to do with the protection of data from parties which are not authorized to access the data, such as black hat hackers. On the other hand, data privacy appertains to the legal domain (such as the GDPR) and it has to do with the access of data from authorized parties.
About the Author
Julian Kuci is the Marketing Quality Assurance Manager at PECB. He is a graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.