Roles and responsibilities within data protection

If you have already read our blog posts about personal data and data processing, you know that personal data constitutes all the things that relate to an identifiable living person, while data processing refers to the different operations or actions you perform with personal data.

So now it is time to get familiarized with roles and responsibilities within data protection!

Roles within data protection

• Data subject
  The data subject is the person whose data is being processed. This means that anytime you give your personal data to a company, you become the data subject in relation to that company. As data subject, you have fundamental rights, including the right to information about what data is being processed and why, the right to object to data processing and the right to having your data deleted.
  
  
• Data controller
  The next role within the GDPR is the data controller. The data controller is the person, company or authority who decides on the purposes for which the data is being processed. The data controller is responsible for the data processing, and the GDPR regulates the responsibilities and requirements related to the data controller.
  
  
• Data processor and sub-processor
  The data processor is processing the data on behalf of the data controller. This is the case when, for example, a transportation company ships products to customers on behalf of the company selling the products. The difference between the data controller and the data processor is that the data processor does not control or decide on the purposes for which the data is processed.
  
  In this example, the transportation company does not decide what customer it will deliver to, or what products will be sent. Instead, the data processor follows the instructions from the data controller and may only process data in accordance with these instructions.
  
  The data processor sometimes uses other suppliers, called sub-processors, for the processing of data. The sub-processor does not control or decide on the purposes for the data processing, as it is still the data controller who owns the data. This is the case when the transportation company from our example hires a driver from another company to drive the truck with the goods for the customer. The driver does not decide what customer to drive to, or what products to deliver. It is still the company selling the products that is still in charge of what products will be sent and to whom. Both the transportation company and the driver –the data processor and the sub-processor –act on behalf of the selling company –the data controller.
  
  
• Data Protection Authorities and DPO
  To ensure compliance with the GDPR, as well as to interpret and give guidance on how to comply with the regulation, each country in the EU/EEA has its own governmental data protection authority. These authorities provide advice and information to data controllers, data processors and data subjects, and are responsible for investigating data breaches and take necessary measures to prevent and penalize breaches, such as ordering all personal data processing to cease or fining the breaching company or organisation.
  
  A Data Protection Officer, also referred to as a DPO, is a role within a company or organization whose responsibility is to ensure that their organisation processes personal data in compliance with the GDPR and the national data protection regulations.
  
  Some organisations, such as governmental authorities and organisations whose core activities consist of processing sensitive data on a large scale or data relating to criminal convictions, are required to appoint a DPO, while all others may choose to do so.
  
  The role of the DPO is to advice on GDPR compliance to ensure that data subjects are informed of data processing and their rights, as well as to handle complaints and data breaches within the organisation.

Responsibilities within data protection

• The data controller’s responsibilities
  As we’ve now established, the data controller is the person, company or authority who decides on the purposes for which the data is being processed. The data controller is responsible for the data processing regarding the data protection authorities, and the data subjects. Therefore, if the data is mishandled or leaked, the data controller will be responsible for paying damages and fines and may even be ordered by the data protection authority to cease any further processing of data.
  
  That said, the data controller has a lot of reasons, as well as obligations, to ensure that data is processed legally. If the data controller hires third parties for processing the data, for example by using an HR system for managing employee data, the data controller must enter into a written agreement with the data processor.
  
  This agreement is called a Data Processing Agreement –or ‘DPA’–and contains instructions on how the data processor can use, store, and delete the personal data of the data controller. The DPA is a means for the data controller to ensure that the data that they are responsible for is processed legally, even when it’s processed by the data processor. The DPA can also contain requirements towards the data processor to, for example, assist the data controller in informing the data subjects on how their data is being used, and help the data controller in case of a data breach.
  
  No matter if the data is processed by the data controller itself, or by a data processor, the data controller must decide on the scope and purpose of processing, including:

• • Deletion routines – that is how long the data will be stored
  • Legal basis for processing – deciding whether the candidates, onboardees, or employees must consent to the use of their data, or if it’s enough to inform them about it
  • Information to data subjects - that is information regarding privacy policies within the systems
  Another obligation of the data controller is the responsibility to report data breaches. A data breach refers to a situation where personal data is accessed, lost or destroyed, either by mistake or as a result of theft or other fraudulent activity. This includes:
  
  
• • You forget your work computer full of information about your employer, the business, colleagues and customers on the subway
  • A thief breaks into the office and steals company information
  • You accidently send an email to the wrong person
  • A hacker attacks vulnerability in your data security and accesses the personal data of your candidates, onboardees, and employees.
  Data breaches that entail a risk for the data subjects must be reported by the data controller to the data protection authorities within 72 hours. This means, that if the information that has been leaked or accessed can be used for purposes that would be negative for the data subjects, the breach must be reported within three days.

• The data processor’s responsibilities
  As you’ve learned, the data controller may hire third party companies for processing personal data on their behalf. These are called data processors, and they are required to follow the requirements and obligations of the Data processing Agreement with the data controller, as well as any written or oral instructions from the data controller. These instructions can for example cover deletion of personal data, or where data may be stored.
  
  The data processor may use sub-processors, meaning other suppliers, for performing the data processing on the data controller’s behalf. This may, for example, include external data storage providers. The data controller must be informed about, and can decide on, what sub-processors the data processor is using.
  
  As we’ve defined earlier, the data controller is responsible for reporting data breaches, and dealing with the potential consequences, such as paying fines to the data protection authorities.
  
  The data processor, however, has an obligation to assist the data controller in investigating and reporting data breaches that occur within their organisation or as a result of their data processing. If it turns out that the breach has occurred as a result of the data processor not fulfilling their obligations, or if they haven’t followed the instructions of the data controller, the data processor will be responsible for the consequences of the data breach, including paying fines and damages and possibly even an order to cease any data processing. This can be the case when, for example, a data processor keeps data for a longer time than what the data controller has instructed them to, or if they send personal data of a data subject to the wrong recipient.
  
  
• We all have a responsibility
  As you’ve now learned, personal data has a strong protection in the GDPR, and must be processed legally, fairly and in a transparent manner. We all have a responsibility to protect and safeguard personal data, and to inform and report when personal data may be mishandled. Therefore, if you encounter a situation where you think data has been wrongfully accessed, altered, lost or deleted, you should always follow internal policies, and inform your data protection point of contact. This is critical in order to fulfil obligations towards data subjects, and to be a safe, professional and successful organization.

Talk to one of our experts and see how you can become GDPR compliant across all HR processes.