Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Controllers or Processors

by Adam Brogden
in Blog

17-Jan-2019 10:38

One of the first decisions you will need to make is whether you are a Controller or Processor. This is a pretty fundamental decision and will inform the rest of your GDPR policies and procedures.

The distinction is whether you decide what happens to the data. For example, do you decide what data to collect, how to process it, how long to store it, and who to share it with? If the answer to this question is ‘yes’ then you are the Controller. You are responsible for deciding how the data is treated. You are a Processor if you act on behalf of a Controller, for example if you process data according to the instructions of a Controller.

Being a Controller has additional responsibilities, you are legally responsible for this data and even responsible for the actions of anyone you share the data with. This is where you need to take extra care. You MUST ensure you have a legally binding contract with anyone you share data with. This is a requirement of GDPR and also makes good sense. If the Processor loses / sells / abuses the data in anyway you need to make sure you are legally protected and can demonstrate that you have taken reasonable precautions to protect that Data.

In a few cases you might be a Joint Controller. This is where you share the responsibility with another company or person. The most common example is Accountants since Accountants decide how to process your data in order to complete your accounts and respond to HMRC as required. These relationships require careful consideration under GDPR.

So, are you a GDPR Controller, Processor, or Joint Controller? Not sure? Call us to discuss.

Good luck all!