To comply with the GDPR, you need to know when you are a Data Controller or a Data Processor and what your obligations entail. In fact, you may even be a Joint Controller.
The GDPR requires organisations, including schools, colleges, and universities to document the data processing activities they undertake, and assess these against Article 32 (security of processing).
For each process, you also need to identify whether you are the Data Controller, Data Processor or Joint Controller.
A Data Controller is:
“A natural or legal person who (either alone, jointly or in common with others) determines the purposes and means of the processing of personal data.”
Where two or more controllers act together, they are Joint Controllers.
The Data Processor is:
“A natural or legal person (other than an employee of the Data Controller) who processes personal data on behalf of the Data Controller.”
Under Article 30, it is mandated that organisations document their records of processing. That, in turn, enables the determination of roles and the assessment of technical and organisational security measures for processing proportionate to the resources of the organisation.
WHERE YOU ARE THE CONTROLLER …
… and have providers processing data on your behalf (for example, cloud-based systems, IT managed service companies, and bus companies which are provided health data on the students they transport), they need to be mandated to process on clear instruction from you. They also have to ensure they comply with various Articles, including Article 32 – 36.
In making sure they comply, your contract with them needs to clearly state:
- The processing activities they are undertaking.
- The technical and organisational measures used to protect the data being processed.
- How they will enable you to comply with the various rights that can be exercised.
WHERE YOU ARE THE PROCESSOR …
You may have other data controllers asking you for evidence of compliance with Article 32 and Article 30 and how you will support them with Article 33 – 36. To be able to do this, you need to have completed the data mapping process, with assessment versus Article 32 and Data Protection Impact Assessments (DPIAs) where necessary.
Importantly, regardless of whether you are the processor or have providers process data on your behalf, the controller has the right to audit your compliance with the GDPR.
If a regulation is giving the opportunity to allow for audit, then it is fully expected that organisations will be expected to use that right as an appropriate organisational and technical measure for compliance.
In defining the relationship between your organisation as the controller and your processors, you will need to review:
- The legal contracts you have with suppliers.
- The privacy statement on your website.
- The disclaimer on your email.
You will also have to update various other documents to ensure you have the relevant protections in place and inform data subjects of which information is being shared with external parties.
Further, you may consider having suppliers to your organisation complete an Information Security Questionnaire to evidence compliance with the codes of conduct and certifications that are mandated by the GDPR.