When it comes to international data transfer there are two types of people involved, the processors and the controllers. Both have specific responsibilities with regards to personal data and it is vital to understand the difference between them. One of the very large shifts that will be occurring under the upcoming EU General Data Protection Regulation (GDPR) is that organisations must designate themselves as either Controller or Processor (or in some instances both), and Controllers may not cede their responsibilities.
If an organisation wishes to operate in the Single Market they will need to conform to the new requirements of data protection and ownership. Failure under the GDPR is, for lack of better words, brutal; failing to adequately safeguard and manage access to data has a staggering impact. The GDPR has a planned penalty system that is not based on first time mistakes, but rather structured on whether the organisation attempted to ensure data protection and management. The penalty structure is as follows:
- A warning in writing in cases of first and non-intentional non-compliance,
- Periodic data protection audits,
- A fine up to 10000000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- A fine up to 20000000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
As discussed, the controller and the processor have very specific responsibilities with regards to personal data and it is vital to understand the difference between them. A controller is defined as a legal person, public authority, agency or other body which determines the purposes and means of processing personal data. While a processor refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. While the controller identifies and analyses how personal data should be handled, the processor carries out any action involved with handling the data itself.
Under the current Data Protection Directive legal liability falls on the controller. Now, under the GDPR, controllers will still be responsible for appointing data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR. However, the processors themselves will now be held accountable for actions on personal data as well. Processors will have to approach their jobs in a whole new way since they will now also be subject to legal sanctions for any failure in compliance.
The controller and processor relationship can no longer insulate you from data breaches – if your processor was not conforming, you must look to the controller, who owned the data and subsequently owes the fine. That is not to say processors get carte blanche; they have to adhere to the requirements as well and fines will be assessed. However, controllers must proactively perform audits on their processors. Of course, that processor may have an ISO 27001 or a SOC2 or other certification but verification must occur by the controller.
To help contextualise this let’s take a look at an example relationship between a marketing firm that collects protected data and a cloud hosting company that provides Disaster Recovery as a Service (DRaaS). In this scenario, we have protected data being replicated to the cloud for a secondary DR site. In this situation, that data must conform to the controller’s requirements. Access control, network and physical security, data sovereignty and EU citizen access requirements all must be pushed down to the processor.
The processor may have conflicting requirements. For example, their support operations are run from the US and protected data can only be accessed by EU citizens. In this instance, if you as the controller did not know this or did not enforce your policies, that constitutes a failure and, as we have seen, will result in a fine that could end a business.
The key is to remember that your data is your data. Your rules must apply, your due diligence must be performed and your oversight must be in place and done, because the cost of not performing that controller role can destroy the organisation.