Telephone +44(0)1524 64544

Does the GDPR make me a Data Controller?


Thu Jan 4 14:30:20 2018

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to share a few thoughts about one of the risks of not being fully in control of your data or the way in which you use software.

Am I a Data Controller?

In regards to the GDPR you can be a 'data controller' or a 'data processor', and more importantly you can also be both dependent on your activities.1 So how do you know if you are a data controller?

The GDPR defines a data controller in Article 4 (7) (Definitions) where it states:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

In regards to the law a 'natural person' is someone like you or I, a carbon-based lifeform who breathes air, whereas a 'legal person' can be an organisation. So a data controller will include you and your company, it isn’t just organisation but individuals. Anyone who holds data on 'natural persons' is a 'data controller'.

The type of data that you control, and to which you must pay particular concern, is personally identifiable information (PII), as defined in Article 4 (1):

...almost every person who has a list of contacts on a mobile phone or in a written address book can be seen to carry with them personally identifiable information and is (therefore) a data controller...

'an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;'

This means that a contacts list which will have a name, number and usually address, alongside other data such as email address etc., is likely to be counted as PII. So almost every person who has a list of contacts on a mobile phone or in a written address book can be seen to carry with them personally identifiable information and is (therefore) a data controller.

This should make you immediately concerned and introduce the need to be cautious. The GDPR determines that your responsibility is to mitigate the risk to the 'natural person' (Article 24, Recitals 74-79) and to ensure that the data they hold is suitably secured and not used inappropriately. How secure is your phone, or your contact address book? Do you write an address on a scrap of paper, how do you dispose of that afterwards? All of these are data concerns and you should have clear policies and methods for dealing with them.

Reducing Risk

One of the easiest ways to reduce risk is to start to anonymise (or use pseudonymisation) the data that you collect. You can also start to disassociate data. So you might want to store real names of contacts at a company as identification numbers, or seperate addresses from real names and phone numbers. Is it really necessary to have all the data available at all times to all devices, to yourself, or to other people in your organisation?

'The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.' (Recital 26)

The use of a centralised data store and reduced data on individual, and personally carried, devices will drastically reduce the threat inherent in the breach of any of those devices. The use of anonymisation and pseudo data relationships will also help mitigate the potential threat.

Records and Processes

It is important for anyone who is a data controller to keep a record of:

  • What details they have;
  • Where they have them recorded;
  • What security, encryption or risk management is undertaken;
  • Who they share those details with ('Data Processors');

The data controller is also responsible for ensuring that the data processor, which can be anything from a mailing list manager to a third party HR, contacts or accounts system, is compliant with the GDPR. The data processor is obliged to tell you of their compliance and to prove it if asked. However it is the responsibility of the controller to ensure that is correct.

Writing it all down

The GDPR also notes, in Article 30, that the controller needs to keep records in regards to the data. The quality and depth of these documents will depend on the code of conduct of any supervisory body (usually local government but can be an official trade organisation) and the size of the organisation. It will also depend on the amount of data that is collected and controlled and the complexity of your systems.2

The data controller is also responsible for ensuring that the data processor, which can be anything from a mailing list manager to a third party HR, contacts or accounts system, is compliant with the GDPR.

Any company that has fewer than 250 employees, which are classed as micro, small, medium or sole traders, will have different strengths of responsibility regarding record keeping. Broadly speaking the smaller the organisation the less onerous the task of recording is made. However that does not mitigate the need for basic levels of record keeping as listed above and it is wise to investigate the responsibilities for your own organisation.

You should also think about your data as a process and have a clear plan that details:

  • What you record;
  • Where you store it;
  • How it is accessed;
  • How it is secured;
  • How long it is stored;
  • The method to view, modify or delete.

This can be your 'data control process'. The smaller your data set, the less personal data you store, the easier this task will be.

In the next article I am going to look at data processors and how this differs from data controllers and the rights and responsibilities that affect them.

Further Reading

In all cases it is wise to consult the regulations directly when determining your level of responsibility to make yourself compliant. Further reading for this piece can be found in:

Articles: 4, 24, 25, 26, 29, 30

Recitals: 13, 15, 24, 26, 28, 29, 30, 31, 34, 35, 36, 37, 74, 75, 76, 77, 78, 79, 82

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]

  1. Generally speaking a data controller is the person who owns the collected data and a data processor is a person who process data on behalf of a controller. However you can both collect data yourself and process it on behalf of others and therefore be both. Or, alternatively, you can control data and run processes on the data you collect and therefore be both. A lot of persons, however, will use 3rd party services for the processing of data and this is especially true of micro-medium organisations. ↩

  2. As with most things it is simplicity that is easiest to manage, control and secure. The more complex a system or a process the easier it is to overlook details or to allow gaps for breaches. A single entry and exit point is easier to guard. ↩