The differences and why it matters for GDPR
Businesses collect, use and store personal data. It’s unavoidable. An email address, phone number, birthdate, postal address – these are all personal data that allow someone to identify or contact an individual. Other information is far more sensitive, such as health information, religious preference, political beliefs, race or ethnic origin, sexual preference, financial details.
The European Union’s General Data Protection Regulation, which becomes effective on May 25, 2018, classifies businesses that receive and hold personal data as controllers or processors.
In simple terms, a controller is a company or individual that collects, controls and is responsible for keeping and using personal information kept in a digital or hard copy form. GDPR Article 4(7) defines it this way:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A processor is an individual or business that processes data at a controller’s direction. Processing can occur simply by having access to data and covers a broad range of activities that involve the use of personal data. “Processing” is defined by Article 4(2) as
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
These definitions mean that a company can be both a data controller and data processor, depending on what data it has and what it is doing with the data. The 1995 EU Directive on personal data protection applied directly only to controllers, and aimed to prevent them from migrating data beyond the EU without meeting specific requirements for where the data was being exported. By contrast, the GDPR applies directly to both controllers and processors, though in different ways. This podcast explores the meaning of controller and processor and how cross-border businesses can meet the differing requirements imposed by the GDPR.