The world of data protection can be as full of jargon as any other. Businesses usually fall into one of two categories – Data Controllers and Data Processors.
This may sound complex but in fact your responsibilities are quite clear whichever one you fall under.
Article 30 of the UK GDPR requires companies to produce “records of processing activities”, which will “allow regulators to see that companies are adhering to GDPR. With this goal in mind, the records should show why and how the data is being processed”.
Data Controllers
Most companies are classed as Data Controllers, meaning they will hold personal data on their employees and customers. They “determine the purposes and means of the processing of personal data”. In other words, they decide how personal data can be used and how it is stored. A controller can be a company, a public body, or an individual such as a sole trader or self-employed professional.
In addition to the relevant information about the business and their Data Protection Officer a Data Controller should document:
- What the data will be used for. This may be customer order management, marketing, or membership records.
- The different types of people whose data will be held. For example, employees, customers, or members.
- What sort of data you are holding on them, such as contact details, health data or financial information.
- Who else might be using the data on your behalf. It could include logistics companies, credit agencies or government departments.
- How long you expect to retain the data for?
Ideally you will also be able to document the measure you take to safeguard the data. This might be cyber security, access controls on the files where data is kept and staff training to ensure everyone within your team is aware of what is expected of them.
Data Processors
These companies will process personal data on behalf of the Controller. Processors act on behalf of the Data Controller who will make the decisions regarding how the data is used. They make no decisions of their own but simply act on the controller’s instructions.
The Data Processor’s role is quite tightly defined. This is to ensure that they are acting on the instructions of the Controller and only making day-to-day operational decisions about implementation of the Controller’s requirements. A common example of a data processor would be a digital agency or website development company.
The information that a processor needs to document is broadly similar a Controller’s requirements. The main difference being that they need to record the contact information of each of the Controllers they provide services to, including the Data Protection Officer’s details. There are also related categories of Joint Controllers of data which may apply to some people who see themselves as Data Processors primarily.
To be clear and open about which of the personal data protection categories applies to your business talking to CSRB is the first step.
We can help you with what you are legally required to do and why. We will help you manage and protect data responsibly while taking the jargon out of the process.
Get in touch with us here or call 0117 325 0830 to learn more about how we can bring clarity to your data management processes.