With only twelve weeks to go until May 25, we’re getting down to the wire. Some companies are looking forward to that date with dread, and others are merely hoping it passes without causing too much mayhem. We’ve spent a good amount of time talking about what to consider and what to do to prepare, but we shouldn’t ignore a more basic question: who needs to prepare?
If you’re worried that it’s getting late (it is), and you haven’t figured out if the GDPR applies to you (it might), then there is still some time to get to work. And, contrary to what you may have heard, the GDPR doesn’t apply to every business. Your kid’s lemonade stand doesn’t have to appoint a DPO and encrypt customer data. (I mean, probably).
Instead, the Regulation applies to controllers and processors of personal data of European citizens. We have covered personal data before and will cover the Regulation’s extraterritorial scope next week, but for now, what is a controller or a processor? As it happens, the definitions have been around for some time: they were promulgated in the mid-nineties when the EU drafted the Data Protection Directive.
A controller is any person or entity that “determines the purposes and means of the processing of personal data.” That definition is interesting because it has nothing to do with size, industry, or intent; it is only about what you do. The implication is clearly that anyone that decides how to analyze, bundle, sell, or use personal data is a controller. That’s an amazingly broad definition because it captures everyone from Big Data to tiny startups that create customer profiles. A processor is, simply, a person or entity that is separate from a controller that processes data for them. This functional role is more about the nuts and bolts of processing the information – the mechanical aspect of data processing.
Notably, though, because being a controller is conduct-based, and not intent-based, processors can become a controller without meaning to. Consider this example: you own a delivery company, and you match orders placed with a controller to the home addresses of their customers and deliver their goods. For now, you are just a processor. But what if you start annotating how frequently the customers are receiving orders to create a tailored package of mail services to offer them? You’ve just graduated to being a controller, because you’ve determined, on your own, the purpose and means of processing the data you have.
You may say “so what? What difference does it make if you are a controller or a processor, GDPR still applies, right?” Yes, and more importantly, no. Controllers have a long list of requirements to meet under the Regulation, including obligations to:
- Provide information to data subjects;
- Only process data with a legitimate basis for doing so;
- Honor data subject rights;
- Conduct Data Protection Impact Assessments (DPIAs);
- Devise and maintain a robust data security protocol; and
- Conduct yearly audits of their activities and report all breaches to supervisory authorities.
The list goes on (and on). Processors have obligations under the GDPR to maintain the security of data and maintain records, but their duties are vastly less complicated than controller duties.
The lesson? If you’re a controller, you have a lot of work to do, and will always have a lot of work to do if you remain a controller. Processors? Not as much. And because you can become a controller almost accidentally, you always have to be on guard about any new course of action bringing new obligations on yourself. In short, you need to constantly pay attention to what you’re doing with personal data and why (which is, you know, the whole purpose of the GDPR). Take the time now to determine whether you’re a controller or processor, and start preparing for May 25. There’s still time, but only a little.