With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, companies must ensure that they are compliant. Regarding personal data, the regulation states that:
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which are collected together can lead to the identification of a particular person and also constitute personal data.
Personal data that has been de-identified, encrypted, or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.” Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
If we think about the amount of data we can collect from users on the internet, we are faced with the responsibility to comply with the regulation and the duty to be fair, transparent, and trustworthy. This is where the most important figure in data storage comes in, the data controller, and what is the role of the GDPR controller?
Collect data for specified, explicit, and legitimate purposes, only use personal data for the purpose for which it is collected. Ensure that personal data are accurate and up to date, taking into account the purposes for which they are processed, and correct them if they are not. It should also ensure that personal data is not stored longer than necessary for the purposes for which it was collected. And it must install appropriate technical and organizational safeguards to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology to prevent, for example, unwanted leaks, theft of data, etc.
But, within GDPR compliance, apart from the figure of the gdpr data controller, another term appears, the gdpr data processor. So, what is the difference between gdpr controller vs. processor and what are the responsibilities of both?
A data controller is a person or organization that determines the purposes and means of processing personal data. They are responsible for deciding why and how personal data is collected, processed, and used. The data controller is also responsible for ensuring that the processing of personal data is done in accordance with data protection laws.
A data processor, on the other hand, is a person or organization that processes personal data on behalf of a data controller. They only process the personal data for the specific purposes that have been agreed upon by the data controller. Data processors are not responsible for determining the purposes or means of processing personal data, but they are still required to comply with data protection laws.