If your U.S.-based company receives data (is a "data collector") from European Union (EU) citizens or residents, it must comply with the incoming GDPR - the EU's General Data Protection Regulation. That regulation divides "data collectors" into one of two categories: "Controllers" or "Processors." Determining which role best defines your corporate data-collection activities will also guide the development of your GDPR-compliant PII management systems.
Controllers vs. Processors in General
Essentially, controllers and processors perform the legal operations of principals and agents. The controller is the principal in the relationship that selects the agent and is responsible for the actions of the agent. The processor accepts the direction of the controller and works to achieve the controller's goals pursuant to the controller's terms.
For purposes of the GDPR, both controllers and processors interact with and manage the data derived from corporate activities, whether it's collected for a distinct purpose, such as for healthcare decisions, or its collection is ancillary to other corporate activities, such as sales. Controllers and processors have distinctly different responsibilities but work together to attain the GDPR's data privacy standards.
- The controller is the entity (a person, company or agency) which determines the "purposes and means of processing personal data." Ultimately, the controller determines which data to collect, from whom, for what purpose and where and how it will be stored/managed.
- When processing data, the controller must comply with the GDPR "data quality principles," ensuring that the processing is "fair and lawful," relevant to the purpose but not excessive and accurate depending on its usage.
- Perhaps most importantly, controllers can only process data for which they have a legal basis for that processing, such as an explicit consent from the consumer or person, or a contract with a third-party that explicitly grants access.
The GDPR also provides direction for corporations based outside the EU, but that do business either within the EU or with its citizens or residents. These companies must appoint a representative inside each EU country where their business lies, and comply with the data protection rules issued by both that country and the EU.
The processor is the contracted entity that processes data on behalf of a controller, and even though the rule asserts that controllers are ultimately responsible for data collection and usage activities, the processors must also demonstrate full compliance with GDPR requirements. (Controllers that use processors that aren't compliant can face penalties for that lapse.) Additionally:
- Processors must comply with the controller's directives and not take advantage of the private data for commercial gain.
- Processors are responsible for ensuring that personal information is properly secured, and must follow through with a consumer's request for deletion.
- Processors must also ensure that transfers of personal data to third-parties occur only pursuant to legitimate contracts and with appropriate security safeguards in place.
- Processors must inform controllers about any breach of its data processes and contribute to any audits necessary to ensuring the safety of the personal data within its control.
A processor must also maintain records of all its processing activities if it qualifies under specific circumstances, such as employing more than 250 employees, processing data related to criminal convictions, or manages data that is likely to present a risk to the rights of data subjects.
After the GDPR becomes enforceable (on May 25, 2018), challenges will certainly arise regarding the roles and responsibilities of Controllers and Processors which will clarify further legal obligations to each other and the citizens' whose data they access. If your American company is doing business in the EU or with EU citizens or residents, ensuring that it complies with the GDPR will also ensure a secure and profitable market sector.