What is the Difference between a GDPR Controller and a GDPR Processor?

The new General Data Protection Regulations, soon to be part of European Union Member States’ legislation, has specific officials whose job it is to ensure clauses in the GDPR are upheld. Two of these are controller and processor. They are part of the team who protect the rights of EU citizens—wherever in the world they live.

What is the Job of the Controller?

Controllers are people designated by businesses which employ or deal with EU citizens. It is their job to make sure the company that hires them is in compliance with GDPR regulations.  In fact the controller’s job is all about the obligation of compliance.

The controller determines how and why data is processed.  If a processor is used, the controller decides how this person or machine handles data. It is the controller’s job to ensure the processor does exactly what data subjects were told would be done with their data.

The controller determines the duration of data processing. The data subjects and categories of information requested are also decided by the controller.

The GDPR ensures that written contracts between controllers and processors are necessary, clearly written and transparent.

The controller ensures that individuals have access to their personal data and can request changes to it.

What is the Job of the Processor?

Processors carry out the tasks outlined in their contract to the controller. As the name suggests, it is the processor’s job to process personal data under the controller’s instructions.  The processor might be a person, an agency or another group.

Conclusion: What is the Difference?

Before GDPR every business, company, organization collected personal data on its employees and clients. So, in essence there has always been an unofficial processor—someone or group that collected and stored this necessary data.

However, with GDPR come rights of individuals to see, to ask for modifications, to demand that things be removed, to object to what is in their file. So, businesses need someone who will oversee the rights of individuals to know and exercise their rights.

Every company needs an individual who will create a procedure for these rights, analyze requests from individuals and ensure the company is in compliance with the GDPR. These are the responsibilities of the controller.