GDPR Responsibilities of Controllers and Processors

Responsibilities of Controllers and Processors

What are controllers and processors under the GDPR?

  • Controllers determine the purpose and means of processing personal data and are usually the collectors of data. They do not necessarily need to be located in the EU. Controllers are additionally responsible for monitoring processors’ compliance.
  • Processors are engaged to protect data on behalf of the controller

Both controllers and processors are responsible and liable for compliance under the GDPR.

Responsibilities of Controllers

The primary responsibility of controllers is to data subjects. Controllers also demonstrate compliance with the GDPR and ensure data processors’ compliance as well. Controllers outside the EU that regularly process personal data pertaining to people within the EU should have a designated representative within the EU to help manage compliance.

 

Responsibilities of Processors

Processors are governed by a contract that addresses how data will be processed, how requests from data subjects will be fulfilled, and whether data will be transferred to any other geographical locations. The processor makes information available to the controller to demonstrate compliance and notifies the controller in the event of a breach. It is also the processor’s responsibility to ensure that authorization is given prior to engaging a sub-processor, and that all data is deleted or returned at the end of their service provision.

The GDPR introduces direct statutory obligations on processors as well as severe sanctions for compliance failures. This is especially relevant for non-EU data processors, who need to ensure that if their clients are based in the EU they are responsible for complying with the GDPR. The processor has equal risk for fines as the controller.

 

Required Data Protection Practices

  • Data protection by design and default

Data can also be protected by design, meaning that data protection principles are integrated into the design of the systems that manage personal data. Another way to protect data is by default, meaning putting in place safeguards to limit the processing of data.

  • Safeguards

Generally, it is recommended to put in place practices and technologies that are appropriate to the level of risk. Some of the best safeguards are quite simple. For instance, having a data protection officer and consulting with supervisory authorities concerning high risk projects. Other examples include breach notifications and data protection impact assessments (DPIA) for high risk projects.

  • Breach notification

Breaches must be reported within 72 hours of discovery unless there is a low risk to the rights and freedoms of the data subjects. High risk breaches should be communicated to data subjects without delay.

  • Documentation

Companies with 250+ employees and those that handle certain special categories of data are required to document: contact information, purpose of processing, categories of data, data transfers to other countries, timelines for erasure of different categories of data and, where possible, a description of technical and organizational security measures.

RELATED POST

Smart Privacy Auditing – An Ontario Healthcare Case Study

IPCS Smart Privacy Auditing Seminar On September 13, Dr. Waël Hassan, was a panelist at the Innovation Procurement Case Study…

What Is The GDPR?

What is the GDPR? The GDPR represents new legislation that is destined to replace the General Data Protection Regulation, which…

eDiscovery and Audits: The Solution to Unauthorized Access

eDiscovery and Audits: The Solution to Unauthorized Access Electronic medical records (EMRs) contain sensitive personal information that is strongly protected…

Artificial Intelligence and Privacy: What About?

Inference How AI impacts privacy and security implementaiton Big Data analytics is transforming all industries including healthcare-based research and innovation,…

web
analytics