GDPR Basics: Roles and Relationships
There are two main definitions of GDPR roles and relationships: those of Data Controllers and Data Processors.
Data Controllers are the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal privacy data. Controllers call the shots: they determine exactly what data elements are required for their processing purposes, how it is processed, and how it is disseminated. Controllers bear responsibility for protection of this privacy data throughout the data life-cycle.
Data Processors are natural or legal persons, public authority, agency or any other body which stores and processes personal privacy data on behalf of the controller. They are bound by instructions from the Controller on exactly how the data must be treated in order to protect, most advisably in contract form, to which the Processors agree to abide.
The GDPR is NOT a check-box exercise like many security, compliance or privacy frameworks may seem to be. PCI, for instance, has 12 areas of responsibility, with the first being how firewalls must be placed and configured. One must filter outbound traffic to only that which is necessary to the business; if that is true, check, and on to the next control.
GDPR is broadly written, and is open to equally broad interpretation in many, if not most, GDPR Articles. Your legal team should be involved in your GDPR Compliance efforts. They may be called upon to justify business operations that concern privacy data, and it’s best to be prepared for that eventuality.