Data Controller Defined

Data Controller Duties and Obligations

What Is a Data Controller and Why Is It Important Anyway?

The determining factor is control, not possession, of personal data. The data controller is the company or person who has the power to determine what happens to your data.

In many countries, the “possessor” of data is the company that collected it. However, in other places, like the European Union, the data “possessor” can be a government agency or some other entity.

The data controller determines the decisions about the purposes and procedures of how and why a company/website will use the data. Typically, this is the owner or manager of the website.

If you have a website, you need to be GDPR compliant. There are distinct steps you must take to remain in compliance with the new regulations, including those required by the EU.

Want a 77% head start on ISO 27001 certification?

What Does It Mean if You Are a Data Controller?

The data controller is the person or company that determines what purposes for which and how the data will be processed. Therefore, if your company decides ‘why’ and ‘how’ the data should be processed, it is the data controller.

As a data controller, an individual or organisation is responsible for ensuring your processing complies with the General Data Protection Regulation (GDPR).

This includes ensuring all data processed on your behalf is adequate, accurate, timely and secure.

Obligations of controllers: You (the individual controllers) need to agree who will fulfil specific controller obligations per GDPR as each controller is responsible for compliance with all the GDPR responsibilities.


What Does It Mean if You Are Joint Data Controllers?

Article 26 states that if the parties jointly determine the purpose and means of processing, both are deemed joint controllers. The GDPR doesn’t go into further detail on this process and only mentions it in passing in Articles 30 and 36.

  • When two or more controllers jointly decide on the purposes and means of processing, they are joint data controllers.
  • Each data controller shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular regarding the exercise of the data subject’s rights (Article 13.), by a transparent manner, except where that is not possible, in which case they shall make the appropriate arrangements between them.
  • The arrangement might designate a contact point for data subjects.

Are You a Joint Controller Checklist:

  • We have a common objective with other marketers regarding the processing of data.
  • We are processing personal data for the same purpose as another company.
  • The other controller is using the same set of personal data that we are using for this processing.
  • We’ve designed this process with another controller.
  • We share common information management rules with another controller.

The clauses in Article 26 (GDPR) on joint controllership are very short, but they have generated much discussion and uncertainty for organisations.

The concept of joint controllership is not particularly new, but its post-GDPR application in the modern data processing ecosystem is complex.

Clarifying how parties are deemed joint controllers defines their respective compliance responsibilities and shared liability regarding individuals and data protection authorities.

Want a 77% head start on ISO 27001 certification?

Can You Be Both a Data Controller and Data Processor?

Are You a Controller, a Processor, or Both?

An entity/organisation can be a data controller, or a data processor, or both.

The same organisation can be both a data controller and a data processor. For example, if our analytics provider runs a customer’s data through its systems, the provider will be the processor of that data.

However, the analytics provider may hold any number of other data sets, perhaps which it uses in its analytics tools. If the analytics provider is entitled to determine how that additional data is used, it will be the controller of that data.

How Do You Determine Whether You Are a Controller or Personal Data Processor?

Your GDPR obligations will depend on whether you are a controller, processor or joint controllers.

Therefore, it’s vital you carefully consider your role and responsibilities regarding your data processing activities to determine whether you are a controller, a processor or joint controllers.

Are You a Data Controller?

  • It is necessary to collect or process personal data.
  • What the purpose or outcome of the processing was to be.
  • We decided what personal data we wanted to collect.
  • We selected the individuals we were going to collect personal data about.
  • A commercial benefit or gain from the processing, except for any payments for services from another controller.
  • As a result of a contract between us and the data subject, we are processing their personal data.
  • Our “data subjects” are our employees.
  • We make decisions about the individuals involved as part of or as a result of the processing.
  • Exercising professional judgement in the processing of the personal data of “data subjects”.
  • There is a direct relationship between us and data subjects.
  • We have complete power over how the data is processed.
  • We have authorised the processors to process the personal data on our behalf.

Even if you aren’t directly involved in collecting any data, you are still potentially liable for non-compliance with the GDPR. Therefore, you are responsible for ensuring you demonstrate compliance with the Regulation’s data protection principles.

GDPR Compliance and Data Controllers Responsibilities

What Does GDPR Define as a Data Controller?

The General Data Protection Regulation distinguishes between a ‘data controller’ and a ‘data processor’ in the UK.

This helps to identify that not all organisations involved in the processing of personal data have the same degree of responsibility. The UK GDPR defines these terms as:

The person or organisation that determines ‘why’ and ‘how’ personal data should be processed is known as the data controller.

Suppose a company processes personal data to help a specific individual (like an employee) carry out their duties. In that case, that employee is acting as a data processor.

A ‘data processor’ is any business or individual who processes personal data on behalf of another. Summarised, they are an agent for the data controller.


How Do You Determine Whether You Are a Controller or Personal Data Processor?

The six core principles of the general data protection regime are laid out in article 5 of the UK GDPR outline:

  1. First data protection principle; The first principle of privacy is reasonably self-evident. An organisation should ensure its data collection practices are legal and don’t hide anything from its data subjects. To comply, as a data controller, you need to thoroughly understand the GDPR and its rules for data collection. In addition, you should publish your privacy policy stating exactly what data you collect and why you’re collecting it.
  2. Second data protection principle; Organisations should limit the amount of personal data they collect to what is necessary to fulfil their purposes. They should also ensure that the data they collect is accurate, up-to-date, and not kept for longer than is required to meet those purposes. A data controller will be given more leeway if your processing is done for archival, public interest, scientific, historical or statistical purposes.
  3. Third data protection principle; An organisation must only process personal data necessary to achieve its purpose. This has two significant benefits. In case that a data breach occurs, an individual will only have access to a small amount of data. It’s also easier to keep data accurate.
  4. Fourth data protection principle; Data accuracy is essential to data privacy. The GDPR asserts that “every reasonable step” must be taken to correct, delete or destroy any data that is not accurate or complete. Individuals have the right to request inaccurate or incomplete data to be corrected or updated within 30 days. However, it may be impossible to correct or update the data in other cases, and the data may need to be removed.
  5. Fifth data protection principle; All organisations must delete personal data when it’s no longer necessary. How long should an organisation retain customer data? It varies between industries and the reasons that the data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
  6. Sixth data protection principle; GDPR requires that personal data be secured. Data should be protected against loss, destruction, or damage. It should also be protected against unauthorised processing and against accidental loss, using appropriate technical or organisational measures. GDPR is deliberately vague about what organisations should do because technological and organisational best practices are constantly changing.

Want a 77% head start on ISO 27001 certification?

Data Controller Checklist

The below checklist will help you ascertain what needs to do if you’re a data controller.

  1. The information you hold; Your business has completed an information audit to find out where the data in your business is located.
  2. Processing data on a lawful basis; Your business has documented and identified your lawful bases for processing data.
  3. Consent and control; The UK General Data Protection Regulation sets a very high standard for consent. However, you don’t always need consent. In some cases, offering people genuine choice and control over how you use their data enhances your reputation and creates more trust.The GDPR builds on the 1998 Act standard of consent in several areas and contains more detail about what constitutes valid consent and other lawful bases for processing people’s data.
  4. Processing children’s personal data for online services and consent; You must have a lawful basis for processing a minor’s personal data.If you depend on consent as the lawful basis for processing data and you are offering online services to children, you must make reasonable efforts to verify that anyone giving their own consent is old enough to do so.

    Therefore, you will need to ensure that anyone providing their consent to you is over the age of 13.

    If you provide an online service for children under the age of 13, you must first get the consent of whoever holds parental responsibility for the child. You must then use reasonable efforts to verify that the person giving consent for the child does have parental responsibility.

  5. Vital interests of individuals; If you must process any kind of data to protect the interests of an individual, your business needs to document the circumstances where it will be relevant and inform those individuals where necessary.
  6. Legitimate interests for data processing; If you rely on legitimate interests as the lawful basis for processing, your business has demonstrated that it has considered and protected individuals’ rights and interests.
  7. Data protection fee cost; All organisations or businesses that process any personal information need to pay a fee to the ICO unless they are exempt.

What Organisational Measures Can You Take To Stop Data Breaches

What Does This Mean for Your Organisation/Company?

To be safe, always assume that everything you store about a customer is personal data and ensure you comply with the law/Data Protection Act when it comes to storing and processing that data.

Ensure your customers’ personal data processing is secure, compliant with data privacy regulations and that you erase it promptly when it is no longer needed.

It is essential to consider pseudonymising and/or encrypting personal data when it is a particular category of personal data. To do so, replace identifying information with “artificial identifiers”. This will ensure the personal data remains secure.

Although it is mentioned 15 times in the GDPR, pseudonymisation alone is not enough; it has its limitations, so encryption is also mentioned in the GDPR.

Encryption scrambles or encodes information by replacing it with something else.

Pseudonymisation permits anyone with access to the data in your organisation to view that data set, encryption on the other hand allows only “approved” users to access the complete data set.

It is possible to use both pseudonymisation and encryption at the same time or separately under GDPR.

You Will Need a Data Protection Officer

The UK GDPR requires you to designate a Data Protection Officer (DPO). This DPO is responsible for ensuring your organisation complies with the new regulations. They will also work with you on any necessary changes to your data management procedures.

Data Protection Officers assist you in monitoring your compliance with data protection laws and providing advice on Data Protection Impact Assessments (DPIAs). DPOs also act as a contact point for data subjects and the ICO.

A DPO is someone who is already employed by your company, or maybe someone who has no prior connection to your business at all.

The DPO must be independent, an expert in data protection, adequately funded, and report to the highest management level. Several organisations can appoint a single DPO in some cases.

Role of the DPO in Your Organisation

  • The DPO has many essential responsibilities, including monitoring data protection compliance, ensuring you’re aware of new data protection regulations, overseeing training, and performing audits.
  • We will take into account the advice of our Data Protection Officer and the information they provide regarding our data protection obligations.
  • During a DPIA, we always seek the advice of our DPO, who also monitors the process.
  • DPOs will consult on any other matter and co-operate with the ICO.
  • When performing their tasks, your DPO considers the nature, scope, context, purposes of processing and the risk associated with these processing operations.

Up-To-Date Security Software

One of the fundamental principles of the UK GDPR is that you must secure the processing of personal data by using appropriate organisational measures. This is the ‘security principle’.

You must take reasonable measures designed to ensure the confidentiality, integrity and availability of your systems and services and the personal data you process within them.

The Most Significant GDPR Fines – For Now

  1. Amazon – €746 million
  2. Google – €50 million
  3. H&M – €35 million
  4. TIM – €27.8 million
  5. British Airways – €22 million
  6. Marriott – €20.4 million
  7. Wind – €17 million
  8. Vodafone Italia – €12.3 million

As you can see above, the financial penalties for breaking GDPR is not cheap.

There are various steps you can take to make your company compliant.

  • Analyse the risks presented by your data processing and use this information to determine the level of security your organisation needs to put in place.
  • Identify what your company needs to do by considering the security outcomes you want to achieve.
  • Put into place all the essential technical controls specified by frameworks like Cyber Essentials (UK ONLY).
  • Understand that sometimes you will have to put additional security measures in place, depending on your specific circumstances and the type of personal data you process.
  • Where it’s appropriate to do so, use encryption and/or pseudonymisation.
  • Make sure that you have an appropriate process in place for backing up your customers’ data in the event of an incident, like by making sure you have a suitable offsite storage facility.
  • By using a reputable data processor, you ensure that they have implemented appropriate technical and organisational measures.

Want a 77% head start on ISO 27001 certification?

Remote Working Policy and GDPR Compliance

Remote or flexible working arrangements are among the most important factors when looking for a job. Most employers don’t have a formal remote work policy, despite the increasing number of companies that offer remote job opportunities. This leaves you vulnerable.

All businesses/organisations should have a robust remote work policy in place. It will help to guide the operational model of your business.

It is also essential for remote developers to understand how to gather and access data in a GDPR compliant manner.

Establish a remote work policy to regulate and cover data accessibility:

  1. The developer’s responsibilities should be outlined.
  2. A remote access policy is needed.
  3. Strong password systems should be put in place. e.g. LastPass.
  4. The use of public wireless internet.
  5. Encrypt all your remote employees’ devices and enforce data encryption for everyone, even those logged in via their personal devices.
  6. Clear and actionable procedures should be in place for employees to report incidents.
  7. To fill security gaps, review your policy from time to time, and update your working from home policy according to your needs.

Find ways to reinforce your work from home policy with employee training and awareness sessions.

Data Controller FAQ

Are Data Controllers Always Liable?

The strictest levels of compliance are the responsibility of the data controllers. They must demonstrate full compliance with all data protection principles according to Article 24 of the GDPR. They are responsible for the compliance of any processor that may process the data also. As per Article 24 of the GDPR, data controllers must:
  • The purpose, nature, context, and scope of any data processing activities should be taken into account.
  • Take into account the likelihood of any severe risk to the rights and freedoms of natural persons.
  • Appropriate organisational and technical measures and security measures are needed to demonstrate that the data processing activities have been done in accordance with the Regulation.
  • Revise and update these measures as needed.
  • Data controllers need to pay a data protection fee if they aren't exempt.

How Many Days Does a Data Controller Have?

When a customer exercises their rights under data protection law, your organisation must respond as quickly as possible. From the day they receive the request, this must be no later than one calendar month. When your organisation needs something from the customer to deal with their request, the time limit will begin once they have received it. If the customer request is complex or they make more than one, the response time may be a maximum of 3 months.

Can a Data Controller Be Fined?

The Data Protection Act 1998 allows the ICO only to take action against the data controller. It is possible to take action against both a data controller and data processor under GDPR. If the data controller and data processor are found to have played a role in breaching the legislation, the ICO could take action against them equally.

Can the Fines Be Significant?

If you are a data controller that has breached the Data Protection Act, the maximum fine you will have to pay will be £500,000. The fines can be up to 20 million Euros or 4% of group worldwide turnover, against both data controllers and data processors. The level of fine will be taken into account when assessing the circumstances surrounding the incident. For example, the type and volume of personal data affected by the breach, the level of loss or damage suffered by the impacted data subjects, whether the breach was negligent or wilful and any previous violations of the GDPR.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.