GDPR: Data Controller V’s Data Processor

Clients expect you to handle their data responsibly, so it is crucial to remain compliant with GDPR rules and avoid any data breaches. However, not all organisations involved in the processing of personal data have the same responsibilities. There are different roles including a Data Controller and a Data Processor.

What is the difference between a Data Controller and a Data Processor?

Let’s start by defining what a controller and a processor are–

Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Processor – a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Controllers are responsible for complying with the UK GDPR guidelines as the data controller has control of the procedures and purpose of data usage. This means they choose how and why the data is used by their company. They have to demonstrate compliance with the data protection rules by taking effective technical and organisational action to ensure their process is in line with the UK GDPR.

What a Data Controller does to keep a business compliant:

  • Collects the personal information of customers and site visitors, provided they have the legal authority to do so.
  • Determines what they want to collect.
  • Changes or modifies the data that is collected.
  • Determines where and how to use the data and for what purpose.
  • Decide whether to keep the data in-house and with whom to share the data.
  • Decide how long the data is kept and when it should be disposed of.

A processor however, has more limited compliance responsibilities. A data processor handles GDPR data passed on to them from the data controller. A third-party data processor does not own the data they process so they also can’t control it. A data processor therefore cannot change the purpose and the means that the data is used for.

What a Data Processor does to keep a business compliant:

  • Designs, creates and puts in place IT processes and systems that allows the data controller to collect personal data.
  • Uses tools to collect personal data.
  • Puts in place security measures that safeguards the personal data.
  • Transfers data from the data controller to another organisation.

 

At L&R Storage we can help you stay GDPR compliance thanks to our range of document management services. For example, our reliable confidential shredding service provides you with a Certificate of Destruction once the shredding of your documents is complete, ensuring that your business complies with the Data Protection Act (GDPR).

Our insolvency services procedures ensure that once your client’s case is closed the files are assigned a retention period specific to each document stored with us. So you can be confident that your documents aren’t stored for longer than is necessary and you remain compliant to the Data Protection Act.

Contact us today to get started with our document management solutions.

Menu