The Changing Roles of Data Controllers and Processors Under the GDPR

The Changing Roles of Data Controllers and Processors Under the GDPR

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, becoming the most comprehensive data protection law to date. Adopted in 2016, the GDPR supplanted the 1995 Data Protective Directive, updating and modernizing policy to reflect the massive change in how protecting personal data in an increasingly wired world is more important than ever.

Adhering to the GDPR’s rules is crucial for organizations that collect, process, and store personal data from European Economic Area (EEA) individuals; fines for noncompliance are steep, and the fallout could cause those individuals to lose trust in an organizations’ products or services. To ensure personal data are collected, processed, and stored properly, organizations are obliged to include data controllers and data processors who are responsible and accountable for a number of tasks, updated from the 1995 Directive.

How Does the GDPR Define Personal Data?
According to the GDPR, personal data are any information relating to an identified or identifiable person, or data subject. This means anyone who can be identified either directly or indirectly by name, location, ID number, or one or more indicators “specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This and other data—including personal data that fall under the GDPR’s special categories—must be controlled and processed through data controllers and data processors.

What are Data Controllers (and Co-controllers) Under the GDPR?
The Data Protection Act of 1998 defined a data controller as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.” Under the GDPR, data controllers are individuals or organizations that decide which data are collected, how they’re collected, and why they’re collected. Co-controllers, however, are two or more data controllers that have jointly decided the whats, whens, and whys of data processing.

What Are Data Processors Under the GDPR?
A data processor is an individual or entity that processes personal data on behalf of the data controller; processors must act only under instruction of the controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply. Data processors are also required to assist controllers in certain circumstances such as responding to a data breach notification. Processors are often third-party entities.

Responsibilities and Liabilities of Data Controllers and Data Processors Under the GDPR
The GDPR places new responsibilities and liabilities on both the controller and processor; in the Data Protection Directive of 1995, controllers were solely responsible for compliance. Now, both the controller and processor are jointly liable for compliance with the GDPR. Controllers must only appoint data processors who can provide “sufficient guarantees” that the requirements of the GDPR will be met and the data subjects’ rights will be protected. If a data controller selects a processor that adheres to a code of conduct or certification that has been approved under Article 40 or 42 of the GDPR, this selection may help organizations exhibit compliance with the GDPR’s Article 28.1.

Expand Your Global Footprint with an Experienced Partner
The GDPR offers data subjects the most robust defense against improper and unsecure data handling. While there are many rules by which organizations must abide, doing so means a more secure user experience for data subjects. No matter where you expand, if your organization collects, processes, and/or stores EEA subjects’ data, you’ll want to remain in compliance with the GDPR to avoid costly penalties—and negative impacts to your business’ reputation.

Velocity Global has helped hundreds of companies expand overseas—many of which became and remain GDPR compliant. If you’re considering expanding globally, reach out to Velocity Global today. Our suite of global expansion services–which includes our Employer of Record solution– has the tools and expert assistance you need to expand quickly and compliantly virtually anywhere. Ready to get started? Let’s chat.

Share via:

Topic:

Compliance

Want more insights like this?

Subscribe to our newsletter to receive resources on global expansion and workforce solutions.

Man smiling with building behind him

Related resources

Team discussing EU regulations on worker misclassification
Blog

EU Cracks Down on Worker Misclassification with the Platform Worker Directive

Across the European Union, the landscape of worker classification is undergoing a significant
Read this Blog
Birds-eye-view of remote worker outdoors, sitting at cafe table with coffee, typing on laptop.
Blog

Are Companies Secretly Paying Remote Workers Less? A Look at Global Pay Disparities

The rise of remote work has fundamentally reshaped global employment dynamics, but it has also
Read this Blog
Back view of man holding backpack & walking along brick path
Blog

The Rise of “Invisible Employment:” How Companies are Secretly Hiring Across Borders Without EORs or PEOs

A concerning trend is making waves on the surface of international hiring practices. “Invisible
Read this Blog