Now that we’re in the final countdown, GDPR is the topic on everyone’s lips. But while GDPR has very strict and easy to understand rules about what businesses can and can’t do with EU citizen data, many people are still confused as to their responsibilities in regards to data. Unlike previous data protection laws, GDPR sets out categorisations for businesses, depending on the nature of their business and handling of data. Depending on which you are, you will have different responsibilities for that data. Your options are either a Data Controller, or a Data Controller and Processor .
GDPR defines a data controller as:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
So basically, any business that simply deals with its own customer data. In general terms, the data controller is the entity that determines why and how personal data is processed. The controller must be responsible for, and demonstrate, compliance with the Data Protection Principles, and is accountable for enforcing them. In general, controllers bear primary responsibility for ensuring that processing activities are compliant with EU data protection laws. If you run a business, you will be by default a data controller. So the real question is, how do you know if you’re a processor as well?
While it might sound similar, GDPR defined a data processor as:
A natural person, public authority, agency or other body which processes personal data on behalf of the controller.
This option applies more to business who handle their client’s customer data. A few examples of this would be outsourced HR departments, marketing companies or even shredding companies like us. Processors are service providers who will be processing data on another companies behalf. In order to do this properly, the controller must appoint the processor under a binding written agreement, which states that the processor:
- Shall only act on the controller’s instructions; and
- Must ensure the security of the personal data that it processes
Processors must also ensure that the personal data that they process is kept confidential, and abide by all data protection laws.
GDPR Responsible Officers
One of the key requirements under GDPR is for every business to appoint a responsible officer – known as the Data Protection Officer. This is not an optional position – every business in the EU has to have one. This is a bit of a change from our previous data regulations, which suggested it would be a good idea, but never flat out stated that businesses must have that role in place. According to a study done by the International Association of Privacy Professionals, 28,000 Data Protection Officers will need to be appointed in Europe alone before May 2018. This is mainly because GDPR does away with previous criteria that dictates a public organisation needs to have a certain number of employees, and instead focusses on what organisations do with personal information – regardless of their size. Once you have appointed your Data Protection Officer, they will be responsible for:
- Informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- Being the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
So as you can see, it’s a bit more complex than it seems at first glance. GDPR is going to bring about a huge number of changes in business practices around the UK, and it’s important that you have the knowledge to follow the new regulations fully. For more information or advice about GDPR for your business, just get in touch with us today.