What are the responsibilities of a data controller?

If your organisation collect people's data, you need to know how GDPR applies to your practices

Series of locks on binary code with one unlocked

The data protection landscape transformed completely when GDPR came into force on 25 May 2018, with the EU setting out guidance for how businesses must collect, manage and process data. The regulations outlined what businesses must do to stay compliant, as well as the internal changes needed to ensure a more robust internal data protection regime.

Almost all businesses collect data in some form, whether it's information on workers or customers, but the way that organisations handle that data will determine what safeguards must be in place. Not everyone involved in the management and processing of data will share the same responsibilities, with GDPR outlining what provisions a data processor must make against a data controller. Some organisations may be both a controller or processor at different stages, too, depending on how data is being used.

GDPR outlines the differences between the two roles, although, in the event of a violation, there's a clause that ensures both controllers and processors can be held liable. With the new regulations, the role of the data controller has been tweaked somewhat so that now it's almost impossible to avoid responsibility when things might go wrong. This hasn't always been the case under previous data protection regimes when it comes to data breaches

Controller responsibilities

The person or organisation that decides how the data held is processed is known as the data controller. A data processor, on the other hand, is the entity responsible for processing data on behalf of the controller. These tend to be independent, third-party services, given data processors cannot be employed by the data controller.

The data controller must state exactly what data is being processed, how the processing should occur, and the reasons why the data is being processed. Controllers are charged with setting out this detail because GDPR attempts to improve the accountability surrounding how personal data is used and processed, so violations can be traced when they occur.

Under GDPR, controllers are not only jointly liable (alongside processors) for breaches of data, but they also have the ongoing task of ensuring the processor remains compliant within the context of the law.

Let's take a look at some other core responsibilities:

Ensuring data is collected lawfully

There are several different legal positions a data controller can adopt in order to justify the collection and processing of data under GDPR, although some of these justifications are more robust than others.

Related Resource

IT Pro 20/20: What the EU's new AI rules mean for business

The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industry

IT Pro 20/20 Issue 17 - What the EU's new AI rules mean for businessDOWNLOAD NOW

One of the simplest and most well known is individual consent, which will allow a business to collect and process a subject's data with the understanding that they have agreed to this.

However, this is arguably the weakest legal position a company can adopt, as consent can be withdrawn at any time (meaning any data processing will grind to a halt), and providing enough information to inform a user's consent is a challenging task.

It's because of this that most legal experts will recommend a business rely on something other than consent. It's often the case that businesses will fall back on the 'Legitimate Interests' clause of the regulation, which allows the processing of data as part of a service that a customer might reasonably expect.

For example, a business has a legitimate interest to collect and process information relating to a customer who has recently bought a product through their online store, as without such processing the order cannot be fulfilled. However, that same business cannot use legitimate interest justification to then sell that data to a third-party website.

However, a business can also justify the collection and processing of user data if said processing is necessary in order to fulfil the terms of a contract. Similarly, if such processing is necessary in order to protect an individual's "vital interests" or if the processing could be deemed within the public interest, a business would have legal justification.

Regardless of how a business justifies its data activities, it must inform individuals what data is being collected and what they're doing with it.

Allowing people to access their data, move their data, change their data and delete their data

This means controllers must allow people to update their information, and move it to another service provider if they choose. Citizens can request a copy of their data, which must be supplied free of charge and within one month of the request.

A request to correct data must be completed within a month as well, or two months if the request is complex.

GDPR allows people to request that their data is deleted if it's no longer relevant or if they no longer consent to it being processed (among other reasons). But controllers can continue to process it for other reasons, including if they're legally obliged to, or it's health-related and in the public interest, or relates to advancing or defending legal claims.

Personal data must also be stored in machine-readable formats (like CSV files).

Data controllers must ensure they comply with almost every aspect of GDPR, which you can read more about in our dedicated in-depth explainer.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021