Table of Contents
As of 2018, the General Data Protection Regulations (GDPR) imposed new data privacy obligations on businesses in England and Wales. These included the obligation for businesses to store and safeguard their customers’ personal information. Your business can face big fines if you do not comply with the new legislation. For that reason, it is wise to know and understand your businesses data privacy obligations. This article will detail the different obligations that the GDPR places on businesses to protect their customers’ personal data.
What is GDPR Compliance?
The GDPR applies to any person residing in the European Union. The regulations ensure that businesses safely collect, process and store personal information in their daily functions.
Many businesses now need to collect sensitive data from their customers to operate. For example, online retailers collect consumer information to facilitate deliveries of goods, run marketing campaigns and operate general business practices.
Storing and using that data is known as data processing. Importantly, your business’ obligations may vary depending on how your business uses its customers’ information. So, to understand your obligations under GDPR, you must establish whether you are a data controller or a data processor.
Are You a Data Processor or Data Controller?
What is a Data Controller?
In short, data controllers are the primary decision-makers when managing and storing personal data. They decide what information is collected and the purposes for collecting that information. Data controllers typically have a relationship or contract with the person whose data is being collected, also known as the ‘data subject’, and will appoint a processor to collect their data on their behalf.
Controllers take on more GDPR responsibilities than processors. This is because controllers seek to collect data for their business functions. They are also responsible for the compliance of their data processors. Data controllers must register with the Information Commissioner’s Office (ICO) and pay a data protection fee.
What is a Data Processor?
Data processors collect, handle, and store their customers’ personal information. Typically a processor will follow the instructions from a data controller on how and where to collect personal data from. Unlike data controllers, data processors do not decide what data should be collected and how the data is used. Furthermore, they do not decide on how long to retain the data for.
Processors do not have the same privacy obligations as controllers under GDPR as data controllers. Still, they must ensure that they correctly follow the controller’s instructions, prevent breaches and maintain security, and notify controllers of potential breaches.
Here are several obligations your business must adhere to if you are a data controller or processor.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
GDPR Privacy Obligations Imposed on Businesses
Process Data Fairly and Lawfully
This obligation applies to both controllers and processors and requires that you use data lawfully and obtain it fairly.
If your business is a data controller, you must acquire data in a way that does not convene data security regulations. You must also use that data appropriately in the functioning of your business. It is your responsibility to ensure that your data processors are compliant with this principle.
Collect Adequate Information For Specified and Legitimate Purposes
If your business is a data controller, you must only collect a reasonable amount of specified data from your customers. You must also have a purpose for doing so that is both lawful and has good reasoning. Otherwise, you can receive a fine if you are collecting unnecessarily large amounts of data that have no bearing on your business practices. Additionally, you must not hold the data you collect longer than necessary.
Accountability and Transparency
Both data processors and data controllers must be held accountable for how they use personal data. That requires them to keep a history of how they store and process personal information and be transparent on how and why they collect and process personal information.
Security
Data processors must take the appropriate measures to ensure their security systems are up to date and secure enough to prevent any data breaches from occurring.
Controllers must also employ the same practices and have an obligation to ensure any data processor they employ is securely housing their customers’ personal information.
Duty to Delete and Amend Personal Information When Requested
A customer can request a data controller to delete, alter or ask for access to their personal information. In that case, data controllers must fulfill these requests and amend or delete their data immediately after the customer makes the request.
Notification of Potential Breaches
If you become aware of a potential data breach, you must report that breach as soon as possible. If you are a data processor, you need to immediately report that breach to your data controller.
Data controllers are responsible for notifying the Information Commissioner’s Office (ICO). The ICO is the regulatory authority responsible for overseeing data protection regulation in England and Wales. Additionally, data controllers must also notify any persons whose information has been leaked and appropriately take measures to rectify the situation.
Data Controller’s Responsibility for their Processors
Data controllers also must ensure that their processors are operating within the GDPR’s standards. A processor’s failure to comply with any of the above obligations or data protection laws can result in fines against you as the data controller.
Key Takeaways
When establishing your business’s data protection obligations under the GDPR, you must first establish whether you are a data processor or a controller. Both result in different privacy obligations to businesses. Therefore, identifying whether you are one or the other can help you adhere to the GDPR.
Generally, your business will have an obligation to safeguard the information you collect from your customers appropriately. You may therefore need to:
- ensure the appropriate security measures are in place to store data;
- process data lawfully and fairly;
- be transparent about how you use that data; and
- allow customers to access, delete and amend their personal data as they desire.
You should seek the advice of a practising lawyer if you are trying to understand your privacy obligations under the General Data Protection Regulations. If you need advice on how your business can stay GDPR compliant, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Data controllers have greater obligations because they oversee data processing, which occurs more often than not through a third-party data processor. In instructing a processor to handle their customer’s personal information, a controller acquires more obligations to ensure the processor is acting fairly within the law.
The main distinguishing feature between whether you are a data controller or processor is whether you are advising another entity on what data you are looking to collect. If you do instruct another entity to process data, you are a data controller. On the other hand, if you receive instructions to process personal information, then you are a data processor.
We appreciate your feedback – your submission has been successfully received.