Do you know whether you are a processor or a controller?
As if the whole GDPR situation was not complicated enough there is the issue of the difference between processors and controllers to try and get to grips with.
To put it as simply as possible, the controller is the organisation which makes the decision on how data is handled and the way in which it is used.
Meanwhile, processors are organisations which simply handle or store information on behalf of controllers.
To put it into some kind of context banks collect all sorts of personal information from their customers and then use that information to decide what services best suit their needs.
In other words because the bank decides how to collect the information and how it is used that means they are a controller.
When it comes to processors the clue is in the name. Organisations which simply handle information on behalf of a controller are processors.
That means processors are most likely to be businesses such as data centres or document management companies.
When you get your head around the two definitions it all seems pretty straightforward and uncomplicated.
But the wonderful world of GDPR is hardly ever simple and the reality is that in many cases business relationships can become complicated and difficult to define very quickly.
For example, when firms take on advertising and marketing companies for specific campaigns the picture suddenly becomes much less clearer.
All of a sudden the difference between a processor and a controller seems trickier to get to grips with.
The reality in the brave new GDPR world is that organisations can actually be processors and controllers at the same time.
The larger a company or an organisation grows then the more complicated its relationships with other businesses are likely to be.
The analogy of a Russian doll has been used in the past to describe the many different layers that often make up modern business structures.
With the new GDPR regulations now less than 100 days away from coming into force and with the stakes so high it makes perfect sense to get to grips with the distinctions and definitions.
After May 25th everyone involved in handling data will have to make sure they are doing everything they can to protect people’s private information.
Organisations need to have their house in order and will have to clearly demonstrate they are doing their utmost to protect themselves and their customers against potential breaches and attacks from hackers.
Processors still have to prove that they are GDPR compliant and face the prospect of huge fines if they are not.
But the fact is controllers are the ones who will be most at risk under the new system. That is why there can be no excuses for not being properly prepared for the new regime.
A good place to start is with the guidelines which have been published by the Information Commissioner’s Office.
As a business if you are not sure whether you are a processor or a controller then now is the time to get some expert help and advice.
After all, as the old saying goes, it is always better to be safe than to be sorry.
You can check out my other articles for GDPR knowledge or use our ATS system to be GDPR compliant.
360 Resourcing Solutions deliver the best resourcing solutions through service, technology and innovation from recruitment advertising to careers pages and applicant tracking systems.
We are the largest in the sector helping over 1,200 companies reduce cost per hire and attract the best talent into the organisation.