data security
When we talk about data controllers and data processors, we’re talking about the roles in companies and organisations that process and control people’s personal data in accordance with GDPR (General Data Protection Regulations) obligations. In the UK, the independent governing body that ‘upholds information rights in the public interest’ is the ICO (Information Commissioner’s Office). 
 
Whilst small businesses don’t necessarily need to assign a member of staff as a data processor or data controller – larger companies and organisations do – everyone should first know the difference between the two roles, and they should know what each role encompasses to ensure no data protection rights are violated. So, let’s delve a little deeper into what a data processor does and what a data controller does. 

What is a data controller and a data processor? 

Let’s start with a couple of definitions to clarify the roles. Firstly, according to the ICO, a data processor is the person, people or company that processes any data given to them by a data controller. They don’t own or control the data, they can’t change its meaning or purpose; they just process it.  
 
Their specific responsibilities are: 
 
Design, develop and implement any IT processes and procedures that enable the data controller to collect personal data. 
Use the relevant strategies and tools set out by the data controller to gather the data. 
Ensure the correct, robust security controls are in place to safeguard collected users’ data. 
Securely and safely store the data collected by the data controller. 
Securely transfer the data between the data controller and third party, where applicable. 
 
A data controller, on the other hand, is responsible for protecting the rights and privacy of the data’s subject, i.e., the person who is using the website or has downloaded content. The data controller looks after how the data is used and the procedures in place to ensure the data is not mis-used. They are also allowed to process the data they have collected in accordance with regulations, including working with a third party that has collected the data on behalf of the data controller, such as a website hosting company.  
 
Their specific responsibilities include: 
 
Collecting personal data (information) from customers, visitors to the website or social media platforms and through other channels. A data controller must have the legal authority to carry out this task. 
Modifying or changing the data collected, as applicable. 
Decide on how and where the data is going to be used and for what purpose. 
Decide on whether the data needs to be shared with a third party, who that third party is, or if it’s better to keep the data in-house. 
Understand how long the data may be kept, decide when it needs to be deleted, adhere to requests from users to delete the data and dispose of the data as required. 
 
Most large organisations and corporations will have dedicated data processor and data controller roles. However, in small and medium-sized businesses, these roles are often combined with other jobs. For example, you will often find that someone in the marketing department is the data controller as they are usually the people that implement marketing campaigns whereby data is collected. 

Data controller vs data processor – which one are you? 

In respect of the GDPR, the two are considered separate roles. The data processor, which can be the company, a third party or an individual, who is collecting users’ data on behalf of the data controller.  
 
Let’s give you an example: if we managed your website and you asked us to run a promotion, collecting all the data from users who took part in the promotion and storing it on our data management system, we would be the data processor and you would be the data controller.  
 
The reason is that we have collected the data on your behalf but you own that data and decide what to do with it. 
 
In some companies, the roles are combined. For example, if it is a small business and one person collects the data, analyses it and makes the decisions on how it is to be used, they are both the data processor and the data controller. 
 
Each role has different responsibilities to ensure they are compliant with the GDPR. So, as well as understanding your business’s role in terms of being a data controller or a data processor, if you outsource the collection of personal data or ask a third party to analyse the data, you must make sure they know about their obligations to GDPR compliance and understand their responsibilities. 
 
The primary reason for this is that should there be a data breach, the data controller and the data processor are able to ensure that they have carried out their responsibilities in accordance with the GDPR and can limit their exposure to risk. 
 
The data controller has greater obligations under the GDPR than the data processor but both roles need to understand
 
Their obligations to the GDPR in the UK and how to achieve them. 
Their responsibilities to users/consumers/individuals as well as the supervisory authorities, such as the ICO in the UK (if your company does business with EU countries, they need to abide by the governing body in that country). 
The penalties incurred from non-compliance with the GDPR, such as fines and any other enforcement. 
How to work with other businesses and organisations to ensure the personal data you collect is done responsibly, respecting the user/consumer/individual’s rights, and ensuring that the data is used correctly. 
 
According to previous data security laws, data processors were unlikely to receive any significant retribution except for possibly a claim for breach of contract. However, under the GDPR, data processors are as liable as data controllers for non-compliance and breaching data rules. 
 
Data controllers and data processors now face the risk of being heavily fined and other enforcement penalties. In the UK, the ICO has the authority to hand out fines of up to £17.5 million or 4% of the company’s worldwide turnover (whichever is the greater) against data controllers and data processors.  
 
Therefore, it is important to understand and recognise whether you are a data controller or a data processor, as well as knowing your responsibilities, so that you can ensure you have abided by the regulations. 
At it'seeze Stevenage, we are bespoke web design professionals providing affordable website packages. We ensure that every website we design and build has the correct data regulation requirements incorporated. 

Need Help? 

At it'seeze Website Design, you're never alone. If you want help updating your website, let's arrange a website review. We can make content suggestions, provide training, and help make sure that your website never gets stagnant.  
 
Just contact us to get the ball rolling. 
Feedback or questions? You can comment below, or contact us directly. 
Tagged as: best practices, GDPR
Share this post:

Leave a comment: 

Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings