Data controllers' responsibilities

If your organisation collect people's data, you need to know how GDPR applies to your practices

On 25 May 2018, the way companies collect and use personal data forever changed. The EU's General Data Protection Regulation set out tougher rules for how and what data can be processed, as well as clearly outlining wider reaching corporate responsibilities.

All businesses collect personal data of some description, whether that's customer details or employee data, however, how your company handles that information will determine its duties under GDPR - although the laws recognise that not all parties involved in the processing of data share the same responsibilities.

GDPR recognises that companies either fall under the category of data controller or data processor, although some may be a controller or a processor at different times depending on how the data is used.

Distinctions between the two roles are clear, however, GDPR also took the major step of adding a clause that makes both parties jointly liable for any incident that breaches the regulations. It's because of this change that understanding the role of the data controller, which has historically been able to step out of the firing line when it came to data breaches, is fundamental for avoiding regulatory action.

Controller responsibilities

A data controller is a person or company that decides how the data they hold is to be processed. Conversely, a data processor is a person or company that processes said data on behalf of the controller - because a data processor cannot be an employee of a controller, these tend to be third-party companies providing a service.

The controller is responsible for stating exactly what data is to be processed, how that processing should occur, and the justification for doing so. These requirements are an attempt to improve the clarity and accountability surrounding the use of personal data, and to make it easier to identify those at fault when a breach occurs.

Under GDPR, controllers are not only jointly liable (alongside processors) for breaches of data, but they also have the ongoing task of ensuring the processor remains compliant within the context of the law.

Let's take a look at some other core responsibilities:

Ensuring data is collected lawfully

There are several different justifications to collecting data under GDPR, and controllers must decide which suit them best. A person's consent is the top one, but they could easily withdraw their consent too. This makes the alternatives attractive as well: where processing is necessary to fulfil a contract, is legally necessary, is necessary to protect a person's "vital interests", is in the public interest, necessary to the controller - or a third party's - legitimate interests.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Controllers must also tell people what they are collecting their data for, and what they're doing with it.

Allowing people to access their data, move their data, change their data and delete their data

This means controllers must allow people to update their information, and move it to another service provider if they choose. Citizens can request a copy of their data, which must be supplied free of charge and within one month of the request.

A request to correct data must be completed within a month as well, or two months if the request is complex.

GDPR allows people to request that their data is deleted if it's no longer relevant or if they no longer consent to it being processed (among other reasons). But controllers can continue to process it for other reasons, including if they're legally obliged to, or it's health-related and in the public interest, or relates to advancing or defending legal claims.

Personal data must also be stored in machine-readable formats (like CSV files).

Advertisement - Article continues below

Data controllers must ensure they comply with almost every aspect of GDPR, which you can read more about in our dedicated in-depth explainer.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020