GDPR Knowledge Series Part 1
Data Processors vs. Data Controllers and Knowing the Difference
The General Data Protection Regulation (GDPR) in the European Union (EU) was a seismic change to data protection law to companies domiciled in or operating in the 27 countries of the EU. In this series of articles, we will cover key tenets of GDPR and what you need to understand to avoid being caught in its potentially expensive legal net.
To be clear, the scope of GDPR is for data held and managed on EU residents in EU member countries (not citizens). GDPR, like any complex legislation, has produced a huge amount of confusion and ambiguity around what a company’s obligations are with respect to GDPR.
Like many regulations, the conditions might appear onerous at first but careful management and understanding of what you can and can’t do is key to keeping yourself out of legal hot water.
In this first article we will focus on what Data Processors and Data Controllers are and their responsibilities.
The data controller (the end user of the data) is defined as:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
The key obligations of the Data Controller can be found here: https://www.gdpreu.org/the-regulation/key-concepts/ but here are some key obligations:
Contact must explicitly opt-in to marketing communications
There are specific types of personal information that must not be collected under any circumstances
The contact has a right, upon request to be deleted from all marketing & sales lists and databases (the right to be forgotten)
The contact must be able to unsubscribe at any time, even after opting in originally
The main regulatory tenet for Data Processors (vendors) is as follows:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.
Data processor obligations under GDPR consist of:
Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data that it is entrusted with for purposes not outlined by the data controller.
Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
Notify data controllers without undue delay upon learning of data breaches (33.2)
Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
In a nutshell the Data Processors obligations are effectively best practices for the handling of customer data on behalf of the Controller covered by the scope of GDPR.
Key Considerations and Risk Factors
It has come to our attention that there are data and list vendors out there promoting their databases and lists as “GDPR Opt-In Ready.” This is patently false and you should give data vendors who make claims a wide berth. There is no such thing as GDPR opt-in ready contact data for one main reason:
Each end user company (The “Data Controller”) is responsible for securing the Opt-In permission from the individual prospect regardless of where the obtained the data originally.
The data or list vendor is classified as a “Data Processor” and has a different set of obligations with respect to how they manage data.
We have seen some clients and companies “handicapping” their marketing databases because they are unable to accurately classify the contacts geographic location and thus cannot determine which contacts are subject to GDPR (EU residents) and who isn’t (everyone else). If your data vendor cannot accurately scrub your database to append and classify contacts by geographic location, then you should evaluate other vendors that can. Not being able to classify contact location could make 50%+ of your database unusable for no good reason.
How the end user company (Data Controller) obtains GDPR Opt-In permission from prospects will be the subject of a later article.
GDPR is mostly a refinement and consolidation of a patchwork of country level EU data protection regulations. Like Y2K, the risks and impact have been somewhat overstated, usually by vendors offering some kind of GDPR compliance services. Some review of your data practices and adjustment to your B2B outbound marketing processes should keep you out of trouble.
Beware any data vendor that offers “GDPR Opt-in” contact data
If you are a B2B vendor, you are allowed some latitude in terms of unsolicited contact but other GDPR regulations must be followed
Make sure your prospect target data aligns more closely with the product or service you are offering so it will pass the “legitimate interest” test on closer scrutiny
If in doubt consult your legal counsel but make sure that counsel understands and has expertise in GDPR law
You can consult the local Data Protection regulator in the EU country where you are using data on residents of that country for an opinion to protect yourself
About Contact Persona LLC
Contact Persona is a specialist data quality service vendor with multiple offerings covering CRM data quality, inbound lead processing, custom curated database building and field event solutions. Our approach is consultative in nature and we provide input and our professional advice with all our offerings. Check out our solutions at: https://www.contactpersona.io/solutions