The responsibility for compliance with GDPR lies with the Data Controller.
If your organisation decides what data to collect, what is to be done with it and how it is to be used. Then you are a Data Controller. The ICO will give you a more detailed definition than this, but in essence, if you make the decisions, you are the Data Controller. As a Data Controller your organisation needs to be registered with the Information Commissioner’s Office (ICO)
In the context of business management, your task as a Data Controller is made complicated by several issues:
As a business owner or manager you may use somebody else’s technology to help you operate. For example all of these will probably handle Personal data:
And then you have to think about the technology you use yourself as part of the processing:
But we’re not finished yet. People write stuff down too:
As the Data Controller, you are responsible for all the Personal data processed using any of the above. Note that this is not an exclusive list, it’s just there to get you thinking.
If you use a third party to process Personal data data on your behalf, they will usually be defined as a Data Processor. GDPR means that there needs to be a legal contract agreement between the Data Controller and Data Processor specifying exactly how the PII data is to be processed.
If the Data Processor deviates from that specification. In other words, they make their own decisions about how the Personal data is to be processed, then they will be defined as a Data Controller themselves. This is fair. Think about it: If you select a data processor and define what you want them to do with Personal data under your control, you can hardly be held responsible if they then go off and do something else with it. That’s why you need the contract document.
The problems don’t stop there. In the case of some of the third parties noted above, your organisation won’t be the Data Controller, you will instead assume the role of Data Processor. This is the case with Payment Card systems. They specify what data is to be collected and how it is to be processed. You just do as you’re told.
Some technology partners will need a Joint Data Controller arrangement with you. Which will need a contract specifying exactly which party is responsible for what – and what will happen if either party fails to observe their obligations.
It remains to be seen exactly how this will play out. But it is probable that some of your data partner websites will have some sort of Joint Data Controller requirement. You will need really strong and robust legal advice if you’re entering into a joint contract with a large, established operator. Their default contracts are unlikely to be written in your favour.
It is not all about technology.
Investing in the latest software isn’t going to make you compliant.
If there’s going to be a data breach, I suggest there will be a person – an employee – responsible for it happening.
It won’t be deliberate. It will be a genuine mistake. An error. An accident.
Your real problem, as a business owner or manager, is how you’re going to create and maintain the organisational structure and behaviour to ensure an appropriate response to a data problem?