One of the first decisions you will need to make is whether you are a Controller or
Processor. This is a pretty fundamental decision and will inform the rest of your GDPR
policies and procedures.
The distinction is whether you decide what happens to the data. For example, do you
decide what data to collect, how to process it, how long to store it, and who to share it
with? If the answer to this question is ‘yes’ then you are the Controller. You are responsible
for deciding how the data is treated. You are a Processor if you act on behalf of a
Controller, for example if you process data according to the instructions of a Controller.
Being a Controller has additional responsibilities, you are legally responsible for this data
and even responsible for the actions of anyone you share the data with. This is where you
need to take extra care. You MUST ensure you have a legally binding contract with anyone
you share data with. This is a requirement of GDPR and also makes good sense. If the
Processor loses / sells / abuses the data in anyway you need to make sure you are legally
protected and can demonstrate that you have taken reasonable precautions to protect that
Data.
In a few cases you might be a Joint Controller. This is where you share the responsibility
with another company or person. The most common example is Accountants since
Accountants decide how to process your data in order to complete your accounts and
respond to HMRC as required. These relationships require careful consideration under
GDPR.
So, are you a GDPR Controller, Processor, or Joint Controller? Not sure? Call us to discuss.
Good luck all!