Your Guide to GDPR Compliance: Roles and Responsibilities

In our introductory GDPR blog post, we introduced the different definitions of personal data and how organizations can handle, process, and store it. In this blog post, we will talk about the roles and responsibilities of people who are affected by GDPR, so let’s quickly explain what these are.  

Am I a controller am I a processor? What are these terms? And who is a “data subject”?

For any kind of service provider or entity that has a computer, somewhere, these three roles are probably going to apply to you in one way or another. If your computer has a list of people (your clients, your employees) or something that might identify people e.g. a log that contains IP addresses, a list of phone numbers), well, these entities apply. 

Out of the three types of entities that come into play, the simplest is data subject. That is the person who is identifiable in a list (whether it is the complete personal details such as first name, last name etc. or just an identifiable number like your mobile phone.) 

Controller and processor are the more complicated bits. If it is only your computer that has this list of personal data and it never leaves your sight, well, you are both. You control the data and you process it. But often enough we use third-party services to manage parts or the whole system that contains PII (personally identifiable information, another cool term). If this system is established on your behalf (i.e. the list of your employees, your clients), congratulations, you are a controller. The other party, the service provider is the processor. They process data for you. As often happens, they, in turn, may use some other company’s services (like a hosting provider), these are “sub-processors”.

The data subject is the one that received new rights and new protections. Controllers of data and processors of data just received some new obligations they need to comply with. The GDPR draws clear lines to what are the rules that apply to each role. 

But as you may have understood already… you are often going to be all three. You are the controller of some data, very possibly a processor of some and always, you and your employees are “data subjects” as well as your clients, prospects and, well anyone you have data about in a computer system.

A recap:

Data subject is a natural person (any living human) in an EU member state. From now on they must give explicit permission for the use of their personal data. 
Data controller collects and determines the purposes and means of the processing of personal data. This is the entity for the benefit of which the data is being collected, treated, used.
Data processor processes personal data on behalf of the controller. This is a service provider (a SaaS application, a hosting company, well, anyone that gives a service that is used it that collection, treatment and use).
Supervisory authority is an independent public authority, which is established by a Member State and it is responsible for enforcement of the GDPR. These are important: the GDPR applies all over the EU, but the specifics may very well vary somewhat between the different countries.

Let’s look at three examples:

Example 1: A US fashion retailer collects personal data from new and existing customers in Europe from its website and sees a drop in customer loyalty in Spain. In order to improve customer satisfaction and loyalty, the retailer outsources its data processing to a Spanish market research agency for all the data collected by the retailer. The agency then analyzes the data and provides insights and business recommendations to the retailer.

The fashion retailer is the data controller and the market research agency is the data processor. As both parties collect and process the data of individuals based in a European member state, they must comply with GDPR. These customers now have new rights and if the fashion retailer or the market research agency don’t comply (we will discuss this in our upcoming blog post) the customers will be able to lodge a complaint, which can result in hefty fines.

Example 2: A theater company in Berlin, Germany collects data from its newsletter subscribers via its website. The website is hosted with a local cloud hosting provider, including all the data from the company’s subscriptions. When a person wants to unsubscribe from the newsletter, the cloud hosting provider is instructed by the theater company to delete the data within 30 days. 

The theater company is the data controller and the cloud hosting provider is the processor. Both parties are in Germany, which is a European member state, and therefore must comply to GDPR.

Example 3: I have a contacts list on my personal phone, with photos, dates of birth, and I have messages that are very private with many of them…. Scot free. 

The GDPR does not regulate your private affairs, it is here to protect you not police you. The question is always what is the scope and purpose of data collection and use. This applies to companies, legal entities, not individuals. Therefore this is an example where collecting and processing data is out of material scope.

The job of preparing for the GDPR is to first understand your role in the different business activities you have (from internal HR to marketing) in regards to the other entities and service providers you work with. Map out these relationships, including vendors, first. Once you do that you need to understand how the data flow works and who has what responsibilities, in which circumstance. And lastly, you will need to go over the chain and make sure everything is aligned. If you are a “controller” on a specific subject, are the “processors”, which you are using, ready? Do you have the contracts with them that cover you? Can you pass the buck along?

Whatever role your company is, data controller or processor, every company should undertake these responsibilities:

1. Put GDPR compliance efforts in place — Yes! Putting in the effort, by itself, already advances you on the path to compliance. Not doing anything, even if you believe you are not affected by the GDPR for some reason, creates a large business risk for you. In addition, you will miss out on an opportunity to actively engage your customers to promote your privacy and security features
    
2. Appoint a Data Protection Officer. The DPO has to have a large degree of independence, direct access to the highest management, as he/she will: 
   1. inform and advise the controller or the processor;
   2. monitor GDPR compliance, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
   3. provide advice and monitor performance of a data protection impact assessment; 
   4. cooperate with the supervisory authority and be responsible for the entire relationship between supervisory authority and controller/processor;
   5. act as the contact point for the supervisory authority.
       
3. The DPO should deliver regular reports to management on the state of compliance
    
4. Top management should provide personnel, financing, and information systems resources which will demonstrate commitment to the GDPR compliance project

That’s it for now. In our next post we will talk about six principles for the processing of personal data.