April 21, 2021

Who’s who in GDPR?

At Risk Evolves, our friendly team of GDPR experts are often asked to help SMEs review and improve their GDPR compliance.

We know that GDPR can seem daunting so this blog and its companion, Who Does What in GDPR?, are a gentle introduction to the topic. They’ll help you:

  • Understand what the GDPR means for your business
  • Make sure that your employees understand their individual responsibilities
  • Decide if your outsourced providers are a risk
  • Tick your clients’ boxes by anticipating, understanding and meeting their data protection needs

Let’s begin by looking at who’s who in GDPR.


You and me…

As we go through life, we entrust our personal information to organisations. We do it so often that we hardly think about it. Examples include:

  • Providing online stores with our names, addresses and contact details
  • Giving a new employer our personal details so they can pay us
  • Providing information to the NHS

Years ago, all data used to be held on paper. Now, the data that we share can be held in many forms, including paper, digital, biometric, CCTV images, GPS tracking records and so on.

When we hold data on someone, we call them a Data Subject. This is a rather impersonal way of saying a living person. The GDPR doesn’t apply to someone after they die.

Meet the Data Controller

The organisation that receives our data after we share it is called a Data Controller.

The Data Controller is a decision-maker in terms of what happens to this data. They are accountable for ensuring that personal data is treated with respect, used correctly, protected from criminals and not shared without our (the Data Subject’s) knowledge or permission.

Is your organisation a Data Controller?

Does organisation decide any of the following?

  • Which data to collect
  • Where to store it
  • How long to keep it
  • When to delete it
  • Who it can be shared with and why

If you answer yes to any of the above, your organisation is definitely a Data Controller.

Examples of data held include:

  • Personal information about employees gathered as part of payroll
  • Email addresses used for marketing purposes
  • Customers’ names and addresses


Who else is involved in data processing?

If a Data Controller outsources any of their data processing to another organisation, that organisation becomes a Data Processor.

Does your organisation have Data Processors?

Most small businesses have at least one Data Processor. If you use the services of an outsourced provider, there’s a good chance that they process data for you. If you answer yes to any of the following, then you have at least one Data Processor:

  • Do you have an outsourced payroll provider?
  • Do you have a marketing agency who sends out emails or collateral for you?
  • Do you outsource your IT?

These are just a few common examples of Data Processors who provide services to SMEs.


Wearing two hats

It’s not unusual for a company to be both a Data Controller and a Data Processor.

Looking at our own business, we’re a Data Controller as we collect data in-house in order to run our own payroll. We’re also a Data Processor as some clients ask us to manage projects which involve their personal data.


There’s more… meet the Sub Processor

A Sub Processor is an organisation that processes data on behalf of the Data Processor.

A real-life example

Imagine that you are the first person to buy a book from ABC Ltd’s website. To do so, you have to provide contact, delivery and bank details.

Once you place your order, you become their first Data Subject. ABC Ltd becomes the Data Controller.

However, ABC Ltd doesn’t do its own deliveries. It plans to outsource them to a logistics company, Vic’s Vans. Upon receipt of your name and address, Vic’s Vans becomes a Data Processor.

Unfortunately, Vic’s Vans don’t have a driver in your area. They ask Tom’s Trucks to deliver the book on their behalf. When Tom’s Trucks receive your details from Vic’s Vans, they become a Sub Processor.

As Data Controller, ABC Ltd remains accountable for your data at every step. If you have a query about how your data is being managed or shared, you should address it to ABC Ltd.

ABC Ltd should take steps to protect your data, including having an agreement with Vic’s Vans. Vic’s Vans, in turn, should have an agreement with Tom’s Trucks. You’ll find out more about this in our blog on Who Does What in GDPR?.


The role of the Data Protection Officer (DPO)

Some organisations may need to appoint a Data Protection Officer (DPO). A DPO is required in three scenarios:

  • If you are a public authority or body (except for courts acting in their judicial capacity)
  • If your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or
  • If your core activities consist of largescale* processing of special categories of data or data relating to criminal convictions and offences

* Largescale means you handle hundreds of thousands of records – like an insurance company or the records in a supermarket’s loyalty database.

This role requires in-depth knowledge of the GDPR and the UK Data Protection Act (DPA) and has some additional legal responsibilities. Many smaller businesses find that outsourcing this role to experts gives them peace of mind and ensures that they always have access to the support they need. For example, if a client is faced with a particularly tricky situation, our Virtual DPOs will join forces to decide on the best course of action.


Need more help?

Whether you’re a Data Controller, a Data Processor or both, the companion blog Who Does What in GDPR? will help you check you’re doing all you can to boost compliance and put your customers’ minds at rest.


See more content from Risk Evolves here.

Newsletter Sign Up

Newsletter Sign Up

Get regular insights direct to your inbox.