Data Controller VS. Data Processor and ISO/IEC 27701

Information Security Management

The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the significant increase of data breach scandals from tech giants, and in part because of the unprecedented media attention is given to the enactment of data privacy regimes (such as the EU General Data Protection Regulation), nowadays every organization who possesses any type of personal data is (and should) be concerned with data privacy management. Living in times when information is the most valuable asset, as the means of identifying and targeting audiences, and at a time when access to information is unprecedented both in massiveness and ease, the response from cybersecurity international actors and experts has been also fairly substantial. Part of these efforts is also the newly published ISO/IEC 27701, which is an international standard providing guidelines for the implementation, maintenance and continual improvement of a Privacy Information Management System.

What is a Data Controller?

There are multiple national and federal regulations and laws that denote and define the term “Data Controller”. During the 90s a handful of developed countries developed and implemented data protection regulations as a response to the global scale that the internet was taking. But the regulation that truly popularized the term “data controller” was the GDPR. As a legal necessity to define the scopes and limits of Data Controllers, Article 4 of the GDPR states:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” 

That is to say that the data controller is the entity –be it a person or organization or a number of them – that decides on the “how” and “why” the data is collected. The GDPR considers the data controller as the primary party responsible for the most important aspects of personal data. 

The data collector's responsibilities are the management of:

  • the collection of the data subjects’ consent;
  • revoke requests from data subjects;
  • the accessibility of the information from the data subjects based on the right to information;
  • the permission and unequivocal statement of the reason of the collection of the data.

The data controller is almost in all cases held responsible for data breaches or unauthorized access and noncompliance.  

What is a Data Processor?

Right next to the definition of “controller”, in point 8 of Article 4, the GDPR defines the meaning of “processor”:

“‘'processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

In comparison to previous data privacy regulations and laws, the GDPR expanded the responsibilities of data processors and increased the number of dimensions where they are to be held accountable. 

Article 28 of the regulation states: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

What this means is that referring to the point made above about the collector being the principal responsible party, the controller must choose a processor which is fully compliant with the GDPR. The only way that processors can prove their compliance with the GDPR is through independent third party audits, assessments and certification. It is also very important to mention that the third party itself should be accredited. 

The Difference Between Data Controller and Processor

The difference between the controller and the processor is straightforward: the former collects the information and provides the reason and means for it, and the latter is a service provider to the controller because it processes the data on the controller’s behalf.

Let’s take an example: 

For marketing purposes, company A collects information from subjects (e.g. clients, users, partners, and so on) and defines the reason for collecting it, the way of collecting it, makes sure to inform the subjects accordingly and respond to their requests on the basis of the principle of the “right to information” (say, on the kind of data that company A possesses) and manages the requests for revocation of definitive deletion of the information upon the request of a data subject. Company A contracts company B, which is a marketing e-mail company that also serves as a customer communication platform. Company A, of course, has to make sure that Company B is compliant with the GDPR. 

So we have a situation where company A collects the information for clearly specified reasons, and company B sends out mass-reaching e-mails on behalf of company A to customers after they have clearly agreed to this information transaction. Company A is the controller and company B is the processor in this case. This illustration happens to be a very common configuration of the relationship between a controller and processor. 

Difference Between Data Protection and Data Privacy  

The main difference between data protection and data privacy is the domains that they appertain to. Data protection is a cybersecurity matter and has to do with the protection of data from parties that are not authorized to access the data, such as black hat hackers. On the other hand, data privacy appertains to the legal domain (such as the GDPR) and it has to do with the access of data from authorized parties. 

We will use this information to contact you about this enquiry only and not for marketing purposes.
Share the Love

Table of Contents

[jetpackcrm_form id="2" style="cgrab"]
Click here to download this article.

More Quality Articles

What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.
Introduction Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequ…
What is a Compliance Management System (CMS)? For organizations seeking growth and long-term success, adhering to compliance obligations is not an option, is a must…
What is ISO 18788? ISO 18788 specifies the requirements and provides guidance for organizations that conduct or contract security operations.Moreover, it provide…
Information Security Management Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. Yo…
The ability to predict what the future holds and choosing effectively among varying alternatives lies at the centre of contemporary societies and organizations. Ri…
“Food Safety” refers to the prevention, elimination and control of foodborne diseases at the stage of consumption. In a globalized world, the impact of food safety ha…
Six Sigma Benefits Reducing Waste Improving Time Management Increase Customer Loyalty Boost Employee Motivation Higher Revenues and Lower Costs Six Sigma has prov…
As the threat of energy-resource depletion has emerged, the global demand for energy is increasing constantly. Provided that billions of people still have no access…
Is your Business protected against a breach of data and software? Are you Internationally Certified to be able to prevent hackers from stealing your organization’s v…
The education industry has gone through tremendous changes over the last decades in terms of educational opportunities, teaching methods, availability of reading…
The Three P(’s)illars of Sustainability The concept of the “triple bottom line” was firstly introduced in 1994 by John Elkington, with the idea of organizations pre…
A politically inclined attack or just a ‘simple’ lack of security awareness? Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second…