GDPR: Controllers, Processors and the Subject (That’s You!)

By Danny Stumpf, IT Manager

Today, most companies rely on partnerships and subcontractors to deliver their services: marketing consultants, bill collectors, diagnostic labs, and so on. It may surprise you to learn how many different parties are involved in something as simple as buying a cup of coffee. Not only is your transaction recorded by the coffee shop, merchant provider, and ultimately your credit card company, but it is likely at least one of these will archive the purchase in a system maintained by another organization (such as a third-party data warehouse).

In GDPR lingo, these affiliates are known as processors, as your personal information is being transmitted to them for accounting, analysis or, well, processing. Conversely, those providing your data are called controllers, as they determine to some degree how the information is to be managed and ultimately used by the processor. This chain of custody applies to every entity involved from you, to your doctor, to the diagnostic laboratory. Now, consider the doctor’s office or the lab might use a cloud-based data backup service: your information embarks upon a long and complex journey from the very instant you provide it. Notice the middlemen often take on a dual role, acting as a processor at one end and a controller as they pass your information on to a subsequent processor.

Acknowledging the likelihood that your personal data will change hands many times in the course of normal business, GDPR states the responsibility of protecting your privacy is shared by all entities, organizations, or services who touch your data. Not only must all parties implement measures to protect your information, all are subject to penalties in the event of mishandling or a breach. This encourages service providers to choose their partners wisely, as they share the risk of any mishandling committed by their partners. Additionally, GDPR requires any such relationship to be strictly defined by a data processing agreement.

Under GDPR, your personal information cannot be shared without a formal contract between the controller and processor, with explicitly defined rules describing the reason your information is being provided as well as how it should be used. In fact, as many as thirteen clauses may be required in any GDPR-compliant data processing contract. Suppose your bank loan is serviced by a third party: Your bank must document what data is to be shared with that processor (account balances, terms and your contact information) and what the data will be used for (collecting payments and corresponding directly with you). Perhaps most importantly, the agreement must also require the processor to assist in complying with any request initiated by you, the data subject, to exercise your GDPR-protected right to own and control your data. These requests could range from correcting errors in the data to demanding it be erased.

While many organizations have established or updated their data processing agreements in an effort to comply with these new requirements, many have not. As GDPR will certainly influence privacy legislation globally, now is the time to consider the data chain of custody, both personally as a data subject, and in your business activities.