The Data Controller
The responsibility for compliance with GDPR lies with the Data Controller.
What Is A Data Controller?
If your organisation decides what data to collect, what is to be done with it and how it is to be used. Then you are a Data Controller. The ICO will give you a more detailed definition than this, but in essence, if you make the decisions, you are the Data Controller. As a Data Controller your organisation needs to be registered with the Information Commissioner’s Office (ICO)
In the context of business management, your task as a Data Controller is made complicated by several issues:
- Your business may use of a LOT of third parties when it comes to the use of technology for processing personal data.
- If the rate of staff turnover in your industry can be quite high. This means your “organisational memory” for dealing with GDPR responsibilities can be short. You need to keep reminding people what to do and re-training.
- Some businesses use a lot of Personal Data. Plain fact – some types of sales orders contain a lot of personal data. Employee records are full of personal data.
Third Parties – Your Data Partners
As a business owner or manager you may use somebody else’s technology to help you operate. For example all of these will probably handle Personal data:
- Business Management System
- Customer Relationship Management System
- Payment Card System
- Online Booking System
- Online Marketing Partner websites
- Email Autoresponder
- Employee HR System
- Employee Payroll System
- Cloud Systems
And then you have to think about the technology you use yourself as part of the processing:
- Desktop computers
- Laptop computers
- Tablet computers
- Backup drives
- Disks – DVD and CD storage
- USB thumb drives
But we’re not finished yet. People write stuff down too:
- Order cards and paper order forms
- Correspondence records
- Copies of bills
- Enquiry records
- Archived records
- Post-it notes
- Sheets of paper
As the Data Controller, you are responsible for all the Personal data processed using any of the above. Note that this is not an exclusive list, it’s just there to get you thinking.
The Problem With Third Party Technology Partners Is…
If you use a third party to process Personal data data on your behalf, they will usually be defined as a Data Processor. GDPR means that there needs to be a legal contract agreement between the Data Controller and Data Processor specifying exactly how the PII data is to be processed.
If the Data Processor deviates from that specification. In other words, they make their own decisions about how the Personal data is to be processed, then they will be defined as a Data Controller themselves. This is fair. Think about it: If you select a data processor and define what you want them to do with Personal data under your control, you can hardly be held responsible if they then go off and do something else with it. That’s why you need the contract document.
The problems don’t stop there. In the case of some of the third parties noted above, your organisation won’t be the Data Controller, you will instead assume the role of Data Processor. This is the case with Payment Card systems. They specify what data is to be collected and how it is to be processed. You just do as you’re told.
Some technology partners will need a Joint Data Controller arrangement with you. Which will need a contract specifying exactly which party is responsible for what – and what will happen if either party fails to observe their obligations.
It remains to be seen exactly how this will play out. But it is probable that some of your data partner websites will have some sort of Joint Data Controller requirement. You will need really strong and robust legal advice if you’re entering into a joint contract with a large, established operator. Their default contracts are unlikely to be written in your favour.
Your Real Problem As a Data Controller
- It is not all about technology.
- Investing in the latest software isn’t going to make you compliant.
- If there’s going to be a data breach, I suggest there will be a person – an employee – responsible for it happening.
- It won’t be deliberate. It will be a genuine mistake. An error. An accident.
Your real problem, as a business owner or manager, is how you’re going to create and maintain the organisational structure and behaviour to ensure an appropriate response to a data problem?