Why is it important to determine your role in personal data processing? Controller or processor?

The responsibilities of each company or person in the processing of personal data depend on whether they are the controller, the joint controller or the processor. Therefore, it is very important to carefully evaluate your or your company’s role and responsibilities with regard to personal data processing activities in order to understand:

• responsibilities defined by General Data Protection Regulation (GDPR) and how to perform them;
• responsibilities towards individuals and supervisory authorities;
• possible fines related to non-compliance with GDPR;
• how to cooperate with other organizations in order to ensure a responsible processing of personal data and respect of the rights of individuals;
• what type of contract to conclude with another organisation or individual.

It is important to remember that an organisation or person which processes personal data is not by its nature either a controller or a processor. Instead one needs to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.

Often companies or persons are unaware of their role in the processing of personal data. Even more often, they are deliberately negligent, in an attempt to avoid liability. Good news is that ... Read further

7 reasons why the implementation of personal data protection should not be postponed.

Besides the well-known and punitive fines which are stipulated by the General Data Protection Regulation and which may be lethal to small and medium-sized companies (SMEs), there are other risks and facts which are often overlooked by SMEs:

1. Reputation risk - the penalties imposed and public information on company data breaches will definitely affect the company's reputation and will bring additional costs.

2. Profit drop - More and more potential clients and partners are choosing to collaborate and transfer their data only to companies able to ensure proper protection.

3. Many cases of loss or disclosure of personal data happened because of the negligence and ignorance of one employee of the company, for which the company will be responsible in the first place.

4. Supply Chain Risk - SMEs are an easy victim of cyber crime and thus a potential entry point to larger enterprise IT systems.

5. Suspension of operations - each supervisory authority has the power to impose a temporary or definitive limitation including a ban on data processing, which means full stop of business activity for certain type of companies. 

6.  The number of complaints has grown significantly - data subjects are increasingly reaching out to EU data protection supervisory authorities to be consulted on GDPR and to submit complaints about companies which violate their rights. Overall, 144 376 complaints have been submitted, since March 2018.

7. 43% of cyber attacks target SMEs; 60% of small businesses go out of business within 6 months of a cyber attack. Read more