Skip to content

3.0 - GDPR Responsibilities

3.1 - Data Controllers and Processors

  • Data Controllers
  • Authority which alone or jointly determines the purposes and means of processing personal data
  • Tasks include:
    • Ensure they have compliance
    • Inform (data details)
    • Implement technical measures
    • Adhere to written agreements with processors

  • Data controllers must obtain data fairly and must only keep it for its intended purpose

  • Data Processors

  • Authority which processes personal data on behalf of the controller e.g. a managed service
  • Tasks include:
    • Record processing operations
    • Implement Security Measures
    • Inform controllers of any data breach
    • Appoint a data protection officer (DPO) as required

  • Any data processed must be protected, processed only with sufficient permission, etc.

  • Data controllers are the owner of the given data, it's responsible to the citizens, and utilises technical measures and processes when handling the data.

  • Data processor follows any instructions of the controller and responsible only to the controller. It primarily utilises security functions.

  • Example: Explore California

  • Employees share personal data with the company. Explore california is therefore the data controller. If they then internally handled processing, the company is both the controller and processor.
  • If the company was to use a HR tool external to the company, that tool would be the processor.

3.2 - Joint Controllers and Third-Party Partners

  • Joint Controllers
  • AKA Co-Controllers: 2 or more controllers that jointly determine how and why data is processed.
  • Example: A facebook page associated with a given company. Facebook and the company determine what is to be done with the data.

  • Characteristics:

    • Shared purpose
    • Each controller is responsible for compliance
    • Agreement with clear responsibilities for each component must be clearly outlined

  • Third Parties

  • Any other parties with whom you share personal data that can process it for their purposes
  • Organizations must ensure any third parties adhere to compliance when processing third party data - this can be achieved by multiple methods:
    • Providing the third party with security prerequisite requirements
    • Carrying out regular vendor risk assessments
    • Reviewing third-party self-certifications for verification
    • Utilising independent Internal and External Audit Functions

3.3 - Data Protection Officer (DPO)

  • Determines how well an organisation can adhere to GDPR
  • Responsibilties include:
  • Enterprise Security Leadership
  • Oversee data protection strategies
  • GDPR requires the appointment of a DPO for controllers and processors involved in high-risk processing activities
  • DPO responsibilities generally vary based on organisation size, but they always need to report to the C-level
  • Appointing a DPO should be based on the following criteria:
  • Professional knowledge of data protection
  • Must be able to perform tasks independently
  • Independence Assurances - DPOs should be able to operate with:
    • No instructions
    • No conflict of interest with business decisions
    • Staff to support duties
    • Authority to investigate issues / processes
    • A minimum term of 2 years (can be renewed for a maximum of 5 terms, so up to 10 years)
  • DPO Tasks:
  • Inform data subjects about their rights and raise awareness of regulations
  • Advise their institution about the application of GDPR rules
  • Carry out prior risk assessments against a list of operations their organisation will take
  • Hold their institution accountable to their governing agency
  • Handle any queries and complaints regarding data handling
  • Cooperate with the EU and other governing agencies.