Open in app

Sign in

Write

Sign in

Data — Processor, Controller, Originator, or Service Provider?

Phill Moran
6 min readJun 16, 2020

What is the difference between a data controller and a data processor? What are your responsibilities under the GDPR? The CCPA? or other governance?

With the EU’s General Data Protection Regulation (GDPR) becoming enforceable on May 25th, 2018, the California Consumer Privacy Act entering the same state on Jan 1st, 2020 and now New York State’s Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT) going live on Mar 21st, 2020; there are many competing terms for the same information classification.

Using the GDPR as the root, I am writing this in an attempt to simplify the terminology and provide you the information you need to correctly identify the controls you need to apply surrounding your (Personally Identifiable Information — PII) data. At the bottom of the article, there are some questions to help you decide your role(s) in line with the compliance or governance you are looking to achieve.

DEFINITION OF A DATA CONTROLLER, or the data originator business — In GDPR and other privacy laws, the data controller has greater responsibility when it comes to protecting the privacy and rights of the data’s subject, such as a user of your SaaS Platform or Web-delivered application. Simply put, the data controller controls the procedure and purpose of data usage. In short, the data controller (data originator in the CCPA) is the one to dictate how and why data is used within your Company.

A data controller is an organization or Company that processes collected data using its processes. In some instances, though, a data controller needs to work with a third-party or an external service to work with the data that is collected. For this situation, the data controller will not relinquish control of the data to the third-party service.

“The data controller will remain in control by specifying how the data is going to be used and processed by that external service.”

DEFINITION OF A DATA PROCESSOR or Service provider. — A data processor or data services provider processes any data that a data controller gives them. A data processor is a third-party Company that a data controller chooses to use and process the data.

A third-party data processor does not own the data that they process, nor do they control it, which means that the data processor will not be able to change the purpose or how the information is used. Finally, data processors are required to follow the instructions given by the data controller.

For instance, Your Company has a website that collects data on the pages of their visitors’ visits, including the page they enter the site with, the pages that they visited next, and how long they stayed on each page. Your Company is the data controller, as you will decide how information is going to be used and processed, and for what purpose.

Also, Your Company might use Google Analytics to discover which of your pages are more popular and which ones are making site visitors leave. This helps you plan your content better by knowing exactly how much time each visitor spends on a particular page. Not only does Your Company know which topics to write on, but also discover new content of interest to your customers. Plus, it helps you improve the material that is already there. Your Company needs to share the data that they get to Google to receive insights they want to get from Google Analytics. In this example, Google Analytics is the data processor.

WHY IT IS IMPORTANT TO UNDERSTAND YOUR ROLE — As you can see, the data controller and the data processor have different roles and responsibilities; as such, it is essential to know the role you play.

For some organizations and their outside service provider, the distinction might not be as clear-cut as the above example. For this reason, the governance standards have outlined the different roles and responsibilities expected for each. In turn, this clarifies what needs to be done on your part. For example, in a data breach event, a data controller and a data processor would limit their risk exposure by knowing the role they play and then make sure that they have done everything expected of them. More importantly, though, if your Company has outsourced data processing, it is to make sure that they know their compliance obligations.

DUAL ROLES? — Yes, it is possible under nearly all versions of these laws.

As you can see, there are situations when there are gaps, overlaid responsibilities, and other grey areas, thus making it even more confusing to figure out a position of data controller vs. the data processor vs. both!

There are many instances where you can be both a data processor and a data controller. If you store data, or if you do the analytics for another company, then obviously, you become the role of the data processor.

For example, let’s say you, a data controller gives an analytics provider all their data, and the analytics provider has a few different reports to offer. The analytics provider decides which parts of your data are necessary for the report that you want. In this case, the analytics company becomes both a data controller and a data processor.

The role of, and responsibility for, data controllers and data processors will become increasingly important as your Company pushes to gain and maintain compliance with GDPR. Understanding the differences and how the roles that your Company serves in any particular scenario (you probably have multiple scenarios) alters your responsibilities, is key to compliance.

QUESTIONS TO ASSIST YOU IN DECIDING YOUR ROLE

Are we a Data Controller, Data Originator?

Do we collect or process personal data (PII)?

Do we decide what the purpose or outcome of the processing is?

Do we decide what personal data should be collected?

Do we choose which individuals to collect personal data from?

Do we obtain a benefit or commercial gains or other benefits from processing the personal data? (except for payment on services from another controller.)

Do we process personal data as a result of a contract between us and the subject of the data?

Do we process the data of our employees?

Do we make decisions about individuals as part of, or result of our processing?

Do we exercise any professional judgment processing personal data?

Do we have any direct relationships with the data subjects?

Do we have complete autonomy as to how personal data is processed?

Do we have appointed processors to process the personal data for us?

Are we a Data Processor / Service Provider?

Do we follow instructions given by someone else regarding the processing of personal data?

Were we given personal data by a customer, similar third party, or told explicitly as to what data to collect.

We do not decide what personal data to from individuals.

We do not decide the lawful basis for the use of that data.

We do not decide what purpose(s) the data will be used.

We do not decide whether to disclose the data or to whom to make any disclosure.

We do not manage or decide the retention policy of the data.

We do not make any decision on how personal data is processed, but do we implement them under a contract with someone else.

We do not have an interest in the result of the processing.

Do we have Dual Roles?

Do we have a common objective with 3rd parties or others regarding the processing?

Are we processing personal data for the same purpose as another controller?

Are we using the same set of (same common source) personal data for processing as another controller?

Have we designed this process with another controller?

Do we have the same information management rules as another controller?

Gdpr
Ccpa
Compliance
Data
Security

--

--

Phill Moran

Written by Phill Moran

1.1K Followers

Agile, InfoSec, DevSecOps, Security-as-Code… An avid writer of all things — including tech, food, beverage and management in startups. #lifeisgood

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams