In this series, we’re highlighting some of the most important definitions for cultural organisations under the new GDPR, which come into force on 25 May 2018. Last time, we looked at the data controller, the entity responsible for deciding how and why data will be processed. The controller has a really important relationship with the data processor.
Data processor -CLUE’s IN THE NAME
Simply put, the data processor processes people’s personal data on behalf of the data controller. Under GDPR, the definition of the data processor will be largely unchanged, but again responsibilities will be increased. Simply put, organisations will have to be more accountable for how they collect and use personal data.
Under GDPR people will, for the first time, be able to take legal action against data processors for data protection breaches. Processors, potentially, will also be liable to the data controller for the same breach. A data processor could be sued by a data subject if they were complicit in a breach by the data controller or if the processor was the source of the breach. Plus, the data processor could face sanction from the regulator – up to a maximum of 4% of annual turnover.
The data controller will be responsible for setting up a binding agreement with its data processors. For instance, this will come into effect when your organisation hires an external organisation to carry out marketing, fundraising or research, on your behalf.
What might this look like in action?
A theatre organisation sets up an agreement with a box office service provider, which will collect people’s personal data (for instance email addresses, postal addresses etc.). The box office company is the data processor and the theatre is the data controller. The same holds true for unticketed organisations that use an external CRM supplier.
Looking for more information on common GDPR terminology? Watch for upcoming pieces in this series on: Anonymisation, Data subject and Consent. Have a quick look back at what it means to be a data controller.