Following-on from the previous articles in this series on big data, we now focus on the challenges of maintaining, storing and using vast quantities of data.

Data controller or data processor

An essential distinction to remember is the difference between a “data controller” and a “data processor.” A data controller is a person or organisation who determines the purposes for which and the manner in which any personal data are, or are to be, processed. A data processor is a person who processes the data on behalf of the data controller.

Remember that, as discussed previously, the law focuses on the protection of personal data.

The degree of independence that a party has in determining how and in what manner data is processed, as well as the degree of control over the content of personal data, will indicate whether the party involved is a controller or a processor.

Why is this an important distinction?

Essentially, one needs to distinguish between the two in order to determine where legal responsibility lies for the data which is held.

Data controllers must anticipate data protection issues arising from their use of big data technologies and take prudent practical steps, including privacy impact assessments, for example it is important to be mindful of and to assess how big data analytics is likely to affect the individuals whose data is being processed and whether processing is fair.

The law requires the controllers to take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Data processors are not subject to such obligations under legislation (though remember that responsibilities may, and often are, allocated by way of warranties and indemnities in contracts).

Data and the cloud

Data services are often inextricably linked with the cloud nowadays.  Although the cloud provider provides a range of services and uses a great deal of its own technical expertise to do this, it is still generally considered as only a data processor. A key consideration is that the conditions of a cloud services contract mean the cloud provider usually has no scope to use the data for any of its own purposes. In addition, the cloud provider does not collect any information itself. All the personal data it holds in connection with its provision of the service is provided by the data controller.

By utilising the cloud platform, a data controller will effectively be giving up control of the security of data whilst still potentially maintaining responsibility for any breach of data security.

Data controllers will be subject to national data protection law in relation to their use of cloud services and will remain legally responsible for any processing undertaken on their behalf by a cloud provider as data processor.

The cloud customer will therefore be liable for any breaches of data protection law caused by the acts or omissions of the cloud provider or any of its affiliates or subcontractors (as data sub-processors) that process the personal data under the control of the cloud customer and may be exposed to sanctions imposed by the national data protection authority.

The cloud contract

With a view of the above, it is important to approach the cloud contract with diligence and this topic is covered separately in our series of articles.