Who’s Responsible under GDPR?
In May 2018, the General Data Protection Regulation (GDPR) comes into force across the whole of the European Union. In preparation, we’re giving you all of the essential information you need to become GDPR ready.
Here, we’re looking at who’s responsible for ensuring the laws are adhered to, and who is liable when they are not.
The ICO have outlined and defined three parties that will be involved in a data processing operation:
- Data Subject A data subject is the person about whom data is being collected.
- Data Controller The data controller is the person or organisation that decides why personal data is held or used, and how it is held or used.
- Data Processor Any person or organisation that holds or uses data on behalf of the data controller is a data processor.
For example, a festival organiser may use an external provider to manage ticket sales. The ticket sales provider processes the data on behalf of the festival organiser. The ticket sales provider should also process the data exclusively for the purpose set out by the festival organiser. In this scenario, customers are the data subjects, the ticket sales provider is the data processor and the festival organiser is the data controller.
These terms are broadly the same as before, but the responsibilities and obligations associated with each group of people are changing with the new legislation.
Previously, data controllers were the only partly responsible for enforcing data protection regulations, and were exclusively liable if they failed to be enforced.
The changes in the law mean that data processors will now also be held under certain obligations, particularly in areas of security, record keeping and international transfers. The changes also mean:
- There will be more rules for controllers and processors to abide by.
- Data processors could be as liable for breaches in data legislation as data controllers.
- The sanctions for failing to comply with the GDPR regulations will rise significantly. Where before the maximum fine was £500,000, now the fine can rise to whichever of the following is higher:
- 4% of worldwide turnover
- €20,000,000 (at the time of writing around £17,700,000).
In summary, the regulations are getting more complicated. In addition, more people are responsible for complying with them, and the penalty for not complying is significantly higher. It is vital that your organisation becomes compliant with GDPR well before May 2018 to ensure that there’s no chance of getting caught out.
For more information on GDPR regulations, have a look at the rest of our GDPR explainer series. Alternatively, for help and advice on becoming GDPR compliant, as well as a range of other queries, get in touch with Culture Republic here.