Let’s break down some examples to help you understand the difference.
The primary difference between the data controller and the data processor is that the Controller has ownership of customer data and determines how data is collected and used. Data processors on the other hand simply process data on behalf of the controller. They cannot undertake any activity with customer data that the Data Controller has not given permission for.
Both parties have responsibilities when it comes to protecting users and their data, but the controller has, among others, the responsibility of securing consent from customers, keep clear records of data collection and processing, and take all reasonable steps towards securing data.
Example 1: Payroll
You are a small business owner with a number of full time employees on staff, you may well use an online piece of software to manage your payroll each month. You simply provide details about your staff to this company -names, dates of birth, addresses, national insurance numbers etc.- and the online payroll software does the rest.
Now, in this case you are the data controller. You have collected and control your employees’ data and have contracted a company to process this data on your behalf. You have determined the purpose of the data, to determine monthly payroll, and control the data that is given to the service provider.
So whilst the software company is doing the hard work analysing the data you provide, they are simply the Data Processor.
Example 2: Emailing customers
You use an online email service, such as Mail Chimp or Campaign Monitor, to contact customers about the awesome products you sell at your shop. You collect email addresses as well as permission to marketing to your customer on your website and upload them to your email system before sending out your promotional emails.
In this scenario, you are the data controller as you have determined how the data will be collected and used. Your email service is the data processor, as they are performing a process you have contracted them to perform. Here, because you are the Data Controller, you have control over the use of data as well as the removal and deletion of data.
Example 3: Online payments
As a small online business owner, you need a way to take payments from customers on your website. You are using a payments service provider, PayPal or Stripe, to capture personal information about your customers so that they can safely pay you.
In this case the payments provider is the Data Controller. This is because you have no say over what data is collected, how it is stored and how it is used. The payments provider specifies that customers must provide their first and last names, address and various credit card details. You cannot change this, nor will you have access to this data once it is submitted by the customer.
It is worth noting that, in this scenario, should you record any other details about your customers (address, postcode, names, email address etc.) then you are most likely acting as a Data Controller in relation to this data, and will need to make sure that you gather the appropriate consent from customers to store and process their data.
Example 4: Commissioning research
You commission a research firm to carry out an independent survey of your target market so that you can better understand how your brand is perceived. You ask the research company to identify, contact and interview participants, analyse the data they compile.
Your business does not pass any data to the research firm. The research firm will identify and contact customers independently.
Once the research company has completed their analysis, they will provide you with a report about your target market. Within the report, there is no information that would allow you to identify individuals.
In this case, whilst you are requesting the survey, you are not the controller. You have no control over how the survey is carried out and how or when the data is collected, stored, manipulated or deleted. Because of this, the research company is the data controller.
Example 5: Websites
You have a small local shop and want to make sure you are discoverable on Google. You don’t know much about websites, so you contract a web agency to build and run a website for your shop.
You don’t need to take orders through your website, but you collect email addresses and contact details from visitors so that your web agency can send them marketing information. Your website has a basic analytics system, like Google Analytics, that anonymously collects data about visitor behaviour on your website.
Here, you are the Data Controller. Whilst you do not necessarily handle data on a daily basis, you have complete control over how data is collected and handled. This is because you contract the web agency to perform the processing for you. If you wanted to, you could ask your web agency to provide all of the contact details they have collected and begin to manage your own promotional marketing.
Example 6: Marketing agency
You run a marketing agency providing promotional campaigns to clients, often involving direct mail or email marketing.
You are contracted by another business to send out ten thousand flyers to their customer database. In order to do this, the client sends over a spreadsheet containing their lead database. In order to use this information you have to perform some basic formatting and implement rules to eliminate any unsubscribed individuals in the database.
You are the Data Processor. This is because all the interactions you have with the personal data of individuals is on behalf of your client, the Data Controller. Whilst the client may not have determined exactly how you would filter and modify the data to suit the needs of your business, ultimately you are performing this processing in pursuit of the deliverable set out by your client.
In this scenario, you cannot use the data you have received for any purposes beyond those stipulated in your contract with your client.
Want more information?
If you would like more information about GDPR you can visit our Legal & HR advice hub which has a number of articles about GDPR, you can claim a free 15 minute GDPR consultation with legal services provider Lawbite, or you can contact the ICO’s GDPR hotline for SMEs on 0303 123 1113. Watch the video below for more information.