The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. Potential fines for violating the GDPR include up to four percent of an organization's annual profits or €20 million (approximately $23 million), whichever is greater. Despite the risks associated with failing to meet the GDPR standards, many companies are still working towards compliance.  

If you are among this group, it is critical to not give up but, rather, to focus on actively continuing efforts to achieve (and maintain) compliance.

In our next entry in a series of GDPR compliance action items, we look at the differences between a Data Controller and a Data Processor and their respective obligations to each other and to the data subject. Depending on the nature and scope of the data processing activities, it is possible to be both a Data Controller and a Data Processor.

Who is a Data Controller: The Data Controller is the entity that controls the overall purpose and methods by which data is collected (“why” and “how” data is used). While a Data Controller may seek assistance from a third-party Data Processor, the Data Controller continues to make these decisions by instructing the Data Processor on the purpose and ends to which the data may be processed.

You are the Data Controller if you make the decision:

1. To collect the personal data and determine the legal basis for doing so;
2. Which items of personal data to collect;
3. To modify the data once collected;
4. The purposes the data will be used for;
5. To share the data, and if so, with whom; and
6. The length of time to retain the data.

Who is a Data Processor: The Data Processor processes the data on behalf of the Data Controller, rather than for its own independent purposes. The Data Processor does not control the data and cannot change the purpose or use of the particular set of data. The Data Processor is limited to processing the data according to the instructions and purposes given by the Data Controller (although with the Data Controller’s consent, certain processing functions may be outsourced to a Data Sub-Processor).  

You are the Data Processor if you are hired and instructed by a Data Controller to carry out some of the following tasks:

1. Implement the methods to collect personal data;
2. Use certain tools or techniques to collect personal data;
3. Install the security surrounding the personal data;
4. Store the personal data; or
5. Transfer the personal data from one organization to another.

GDPR Impact: Under GDPR, the Data Controller remains responsible to the data subject for the legal processing of the data and the acts or omissions of the Data Processor. GDPR mandates that the Data Controller have in place appropriate contract agreements with its Data Processors, to clearly outline the GDPR compliance responsibilities of each of the parties. The Data Controller has the direct relationship and communicates with the data subject (and any regulatory authorities) regarding the handling of the data and to notify them if a breach occurs. While the Data Controller has the direct relationship with the data subject, the Data Processor may have liability to the Data Controller (under the contract agreements between these parties) and is also liable for the acts and omissions of its Data Sub-Processors.  

Potential Actions: Review your existing business operations to confirm the correct characterization of your data processing activities. Remember that you may be both a Data Controller and a Data Processor, depending on the nature and scope of these activities. If you are a Data Controller, make certain that your third-party provider contracts include GDPR compliance provisions and, where appropriate, amend your contracts to include a Data Processing Addendum that meets these requirements. If you are a Data Processor using Sub-Processors, initiate the same review of your third-party contracts.  

For the requirements of GDPR compliance, please see our previous entries on Privacy Policies and Data Mapping on the Miles & Stockbridge Intellectual Property Blog.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]