In May 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect, making significant changes to how organisations process personal data. The GDPR sets out specific responsibilities for data controllers, data processors, and data protection officers to ensure that personal data is handled transparent, fair, and lawfully.
In this blog post, we will explore the role of the controller under the GDPR and their responsibilities in managing personal data.
About GDPR
General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU. The GDPR data protection principles apply to all organisations, regardless of size or location, that process the personal data of EU residents.
It sets forth strict requirements for collecting, storing, using, and destroying personal data. GDPR also gives individuals certain rights, such as the right to be informed about how their data is being used and the right to access, correct, or delete their personal data.
What Is Data Collection and How Does GDPR Regulate It?
Today's advertising, marketing, and customer service heavily rely on data collection. Various types of information are gathered from users about their preferences, interests, habits, and data processing activities.
This data can be used for various purposes, such as targeted advertising campaigns, developing customer profiles, and providing personalised services.
GDPR requires organisations to obtain explicit consent from the user for collecting personal data and demonstrate compliance with the set rules. Additionally, the user must be informed of the information collected and why it is necessary.
Who is a Data Controller under the GDPR?
A data controller is an organisation or individual that determines the purposes and means of processing personal data.
This means that if an organisation collects and uses personal data, they are the data controller responsible for ensuring that the data is processed lawfully and in accordance with the GDPR. In essence, a data controller is an entity that decides why and how personal data is processed.
A data protection officer (DPO) is a GDPR-mandated role that data controllers and processors must appoint. The DPO is responsible for ensuring compliance with the GDPR within their organisation.
This includes overseeing data protection measures, monitoring employee training, and advising employees on how to handle personal data responsibly.
The Role of Controllers under GDPR
Under the GDPR, controllers determine why and how personal data is collected and processed. They must ensure that all personal data is collected and processed lawfully, transparently, and securely. The responsibilities of the controller include, but are not limited to:
Determining the purposes and means of processing personal data
One of the primary responsibilities of a data controller under the GDPR is to determine the purposes and means of processing personal data. This means they must clearly understand why they are collecting and processing personal data and how they will do so.
The controller must ensure that the processing is necessary and lawful and does not infringe on the rights and freedoms of the data subjects. In addition, the controller must be transparent about their processing activities and provide individuals with clear and concise information about how their data will be used.
Ensuring that personal data is processed in a fair, lawful, and transparent manner
Data controllers are responsible for ensuring that personal data is processed fairly, legally, and transparently. This means that they must have a legal basis for processing personal data and ensure that the processing is necessary for the purposes for which it was collected.
Controllers must also ensure that individuals are informed about their rights under the GDPR, including the right to access their data, the right to rectify inaccurate data, and the right to erasure.
Ensuring that personal data is collected for specified, explicit and legitimate purposes and is not processed further in a manner incompatible with those purposes
Data controllers must ensure that personal data is collected for specified, explicit, and legitimate purposes and that it is not processed further in a manner incompatible with those purposes.
This means that controllers must clearly understand why they are collecting and processing personal data and ensure that any further processing is necessary and lawful. They must also ensure that individuals are informed about different processing activities and that they are allowed to object to such processing.
Ensuring that personal data is accurate, up-to-date, and limited to what is necessary for the purposes for which it is processed
Data controllers must ensure that personal data is accurate, up-to-date, and limited to what is necessary for the purposes for which it is processed. Controllers must take appropriate measures to ensure that personal data is accurate, up-to-date, and not stored for longer than necessary. They must also ensure that personal data is not processed in a way that is excessive or unnecessary for the purposes for which it was collected.
Notification of personal data breaches to the relevant supervisory authority
Under the GDPR, controllers must notify the relevant data protection authority o any personal data breaches. This means controllers must have an effective system for detecting, reporting, and notifying any personal data breach as soon as possible.
Controllers must also inform individuals whose personal data has been affected by a breach without undue delay. Data breach includes loss, unauthorised access, and disclosure of personal data.
Ensuring that personal data is not kept for longer than necessary for the purposes for which it was collected
Data controllers must ensure that personal data is not kept for longer than necessary for the purposes for which it was collected. This means controllers must have clear retention policies in place and ensure that personal data is deleted or anonymised when it is no longer needed. They must also ensure that individuals know how long their data will be retained and the legal basis for such retention.
Implementing appropriate technical and organisational measures to ensure the security of personal data
Data controllers must implement appropriate technical and organisational measures to ensure the security of personal data. This means they must take appropriate measures to protect personal data from unauthorised access, disclosure, and loss. Controllers must also regularly review and update their security measures to ensure they effectively protect personal data.
Engaging data processors, if any, and ensuring that they are bound by obligations sufficient to meet the controller's obligations under the GDPR.
Data controllers may engage data processors to process personal data on their behalf. However, controllers remain responsible for ensuring that personal data is processed in accordance with the GDPR.
Controllers must ensure that data processors are bound by data protection obligations sufficient to meet the controller's obligations under the GDPR. This means that controllers must have appropriate contracts with data processors that set out the respective responsibilities of the controller and the processor.
What Is The Difference Between A Data Controller And A Processor?
A data controller is an organisation or individual that determines the purposes and means of processing personal data. On the other hand, a data processor is an entity that processes personal data on behalf of the data controller. They act under the data controller's instructions and are responsible for implementing appropriate technical and organisational measures to ensure the security of personal data.
In practical terms, a data controller might be a company that collects personal data from its customers to fulfil orders or provide services. A data processor might be a third-party payment processor that handles payment information on behalf of the data controller. While the data controller is ultimately responsible for ensuring that the GDPR processes personal data, the controller and processor have specific obligations to ensure that personal data is handled appropriately.
What Happens if a Controller Does Not Comply With the GDPR?
You must ensure that you and those who process data on your behalf of you remain compliant with GDPR. If an individual experiences any damages due to your processing activities falling short of their legal requirements, then they have every right to pursue a claim against you. However, if it can be proven that it was not by fault or negligence on your part that caused the damage in question, then liability will no longer fall at your feet.
Suppose you’re not the only entity engaged in the processing (for instance, a shared controller or processor is also involved). In that case, those seeking compensation have the right to pursue claims against any of you. Suppose it falls on your shoulders to pay full indemnification for damage suffered by individuals. In that case, there may be an opportunity for reimbursement from other controllers and processors actively participating in the said process - but only if they are at fault.
Controllers who do not comply with the GDPR may face serious consequences. Such penalties could include administrative fines of up to EUR 20 million or 4% of global annual turnover (whichever is higher) and orders to cease processing personal data and issue corrective measures such as data protection impact assessments.
Conclusion
Data controllers play an essential role in ensuring that personal data is processed lawfully and in accordance with the GDPR.
They have several responsibilities, including determining the purposes and means of processing personal data, ensuring that personal data is processed transparently, fairly, and securely, engaging data processors, if any, and ensuring that appropriate technical and organisational measures are implemented to ensure the security of personal data.
Controllers need to understand and fulfil their responsibilities under GDPR to remain compliant with the law and protect individuals’ rights and freedoms.