Is my organisation a Data Controller? How can I tell and what does that mean?

The short response to the first question is yes your organisation will likely be the data controller for at least some elements of personal data. It may also be the data processor for other different elements of personal data. You can be both for separate collections of personal data within the same organisation.

To clarify, the definition in the GDPR (General Data Protection Regulation) for a controller is an entity that determines the purposes and means of the processing of a set of personal data and a processor is an entity that processes data on behalf of the controller.

For example: If you were a cloud-based software provider, companies using your software would input personal data onto your system, but they are the ones who decide what to input and when it is deleted, so your company is just storing (aka, processing) the personal data.  You are therefore the Data Processor for that data.  However, should you, as that cloud-based software provider, employ staff, then as their employer, you would collect and process their personal data and also decide what is collected and where it is stored and processed.  For this collection of personal data, your software company is the Data Controller, showing that a company can in fact be both a Data Processor and a Data Controller.

For the more processing-centric organisations, it can be easy to forget that employee data is something of which the organisation is always the controller. 

What does the law say about my responsibilities?

The GDPR sets out the responsibilities of a controller in Article 24. All controllers of personal data are required to take into account all of the data they are controllers of, the scope of the processing going on, the reasons for collecting and processing and any risks to that data and the rights of the data subjects it belongs to. The legislation also mandates the controller to implement appropriate data protection policies and follow any applicable codes of conduct set out by regulatory bodies with regards to personal data processing.

What does this mean on a practical level?

What these responsibilities mean is that organisations are going to need to look at conducting an audit to assess all the personal data they hold within themselves. That audit will need to look at each of their processes so that it’s possible to get an understanding of where the data is collected from, what the reasons for processing it are, who it is shared with and where it is stored. 

From this you may begin to undergo a gap analysis of the current situation the organisation is in, to where, ideally, changes are needed. 

Such changes could be in updating the organisations network security, ensuring its data protection policies are up to date or ensuring staff members are fully trained in data protection.  You may also find you are required to conduct a DPIA (Data Protection Impact Assessment) on one of your processes. 

Such changes could be in updating the organisations' network security, ensuring its data protection policies are up to date or ensuring staff members are fully trained in data protection.  You may also find you are required to conduct a DPIA (Data Protection Impact Assessment) on one of your processes. 

The benefit of carrying out such a gap analysis is that you can spot areas where you are weak and update them to become compliant, which is clearly better than leaving them unchecked and open to fines.

What is a process analysis?

The GDPR has been law in the UK and EU for over a year now. One of the key elements of maintaining compliance with this law, namely ensuring that good records of the data being processed are kept, has been missed by many organisations. This is probably down to a lack of understanding or training on some of the lesser-known requirements of the law and what they practically require organisations to do.  A recent example of this was where the ICO audited the Legal Ombudsman and found they were not keeping accurate records of the information they were responsible for.

Conducting a data mapping exercise and then using that to document your organisations flows of data using a process analysis register and is a useful process used in data management and generating a record of the personal data that is processed and where it goes. It is not just another admin task to ‘fluff out’ the GDPR compliance process but an essential project to identify where there could be privacy risks and data leaks. There is now a clear responsibility on businesses to proactively protect the data they hold; this includes being aware of any potential risks.

What does the GDPR say about this?

In Article 30 of the GDPR, it states that organisations must maintain a record of processing activities. The record must contain information such as the purposes for processing the data, description of the categories of data subject and categories of personal data, the categories of any recipients of that data if it is transferred to any other countries and if so where, how the data is kept secure and the length of time that data will be retained for. 

This should all be recorded in an organisation’s Information asset register and process register, and this can be detailed by doing a data mapping exercise.

Where should the organisation start?

You can’t protect personal data if you don’t know what it is, where is it and how it is managed. Furthermore, if you don’t know where to look or how to identify weaknesses in your data infrastructure, how will you find and deal with them? 

The GDPR has been the law in the UK and EU for over a year now. One of the key elements of maintaining compliance with this law, namely ensuring that good records of the data being processed are kept, has been missed by many organisations. This is probably down to a lack of understanding or training on some of the lesser-known requirements of the law and what they practically require organisations to do.  A recent example of this was where the ICO audited the Legal Ombudsman and found they were not keeping accurate records of the information they were responsible for.

This could include:

1. Data Protection Officer (if applicable)

2. Members of the senior management team

3. Information Security Officer

4. HR Manager

5. Operations Manager

6. Finance Manager

It would be prudent to ensure that this is ultimately handled by someone or a team appointed to handle GDPR related projects, be that an internal appointment or an external consultant, as ultimately after conducting the exercise, there will then be a need to apply specific knowledge and expertise to analyse the information collected and mark that against the regulation and from there, make recommendations to improve compliance - which is the end goal.

Forti5 is a team of leading experts in cyber security and GDPR providing

complete GDPR services, training and advice. We also certify organisations to

IASME Gold and Cyber Essentials. Contact our Southampton office: www.forti5.tech