Skip to main content

The Changing Roles of Data Controllers
and Processors Under the GDPR

By February 15, 2019March 20th, 2023No Comments
The Changing Roles of Data Controllers and Processors Under the GDPR

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, becoming the most comprehensive data protection law to date. Adopted in 2016, the GDPR supplanted the 1995 Data Protective Directive, updating and modernizing policy to reflect the massive change in how protecting personal data in an increasingly wired world is more important than ever.

Adhering to the GDPR’s rules is crucial for organizations that collect, process, and store personal data from European Economic Area (EEA) individuals; fines for noncompliance are steep, and the fallout could cause those individuals to lose trust in an organizations’ products or services. To ensure personal data are collected, processed, and stored properly, organizations are obliged to include data controllers and data processors who are responsible and accountable for a number of tasks, updated from the 1995 Directive.

How Does the GDPR Define Personal Data?
According to the GDPR, personal data are any information relating to an identified or identifiable person, or data subject. This means anyone who can be identified either directly or indirectly by name, location, ID number, or one or more indicators “specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This and other data—including personal data that fall under the GDPR’s special categories—must be controlled and processed through data controllers and data processors.

What are Data Controllers (and Co-controllers) Under the GDPR?
The Data Protection Act of 1998 defined a data controller as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.” Under the GDPR, data controllers are individuals or organizations that decide which data are collected, how they’re collected, and why they’re collected. Co-controllers, however, are two or more data controllers that have jointly decided the whats, whens, and whys of data processing.

What Are Data Processors Under the GDPR?
A data processor is an individual or entity that processes personal data on behalf of the data controller; processors must act only under instruction of the controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply. Data processors are also required to assist controllers in certain circumstances such as responding to a data breach notification. Processors are often third-party entities.

Responsibilities and Liabilities of Data Controllers and Data Processors Under the GDPR
The GDPR places new responsibilities and liabilities on both the controller and processor; in the Data Protection Directive of 1995, controllers were solely responsible for compliance. Now, both the controller and processor are jointly liable for compliance with the GDPR. Controllers must only appoint data processors who can provide “sufficient guarantees” that the requirements of the GDPR will be met and the data subjects’ rights will be protected. If a data controller selects a processor that adheres to a code of conduct or certification that has been approved under Article 40 or 42 of the GDPR, this selection may help organizations exhibit compliance with the GDPR’s Article 28.1.

Expand Your Global Footprint with an Experienced Partner
The GDPR offers data subjects the most robust defense against improper and unsecure data handling. While there are many rules by which organizations must abide, doing so means a more secure user experience for data subjects. No matter where you expand, if your organization collects, processes, and/or stores EEA subjects’ data, you’ll want to remain in compliance with the GDPR to avoid costly penalties—and negative impacts to your business’ reputation.

Velocity Global has helped hundreds of companies expand overseas—many of which became and remain GDPR compliant. If you’re considering expanding globally, reach out to Velocity Global today. Our suite of global expansion services–which includes our Employer of Record solution– has the tools and expert assistance you need to expand quickly and compliantly virtually anywhere. Ready to get started? Let’s chat.