Data controllers and data processors: What’s the difference and why should Australian boards care?

Digital Literacy

Data controllers and data processors: What’s the difference and why should Australian boards care?

Share This Post:

Are the Board and Business Leaders responsible for company data?

I booked a hotel online last week and before I accepted the booking this acknowledgement came up. “I accept the joint data controller’s privacy policy and I can unsubscribe at any time from future emails as per the Privacy Policy”. Turns out that I was making a hotel booking with a local brand owned by an international hotel chain which had a global privacy policy in place covering the European Union and Australia.

In the European Union a comprehensive data protection law known as the General Data Protection Regulation (GDPR) governs how the personal data of individuals in the European Union (EU) should be handled. Central to GDPR compliance are the distinct roles of data controllers and data processors, each with specific responsibilities and obligations.

Understanding the key differences between these two roles is crucial for businesses to ensure they comply with GDPR requirements. This is relevant for Australian businesses as our data privacy regulations will shortly follow a similar trajectory to the GDPR with the introduction of tighter privacy laws starting in August 2024.

What is the differences between data controller and processor organisations? In this article, I refer to the European GDPR model to provide examples of each and highlight the governance issues that Australian board directors and management will need to address for each business type.

Key Differences Between Data Controllers and Data Processors

Talking about the roles of data controllers and data processors in the world of personal data management, imagine a data controller as the one calling the shots. They decide the reasons and methods for processing personal data. Think of a retail company that gathers customer information to tailor their marketing strategies — this company is acting as a data controller.

On the other hand, a data processor is like a helper who handles data based on the controller’s instructions. They don’t make decisions about why or how the data is processed; they just follow the guidelines set by the controller. For example, if that same retail company uses a cloud service provider to manage their customer databases, the cloud service provider is the data processor. They’re simply taking care of the data as per the retail company’s directions.

When it comes to decision-making in data processing, the data controller is the one with the authority. They decide what data to collect, why they need it, and how long to keep it. Essentially, they’re the ones making all the important calls about data handling.

In contrast, a data processor doesn’t have this decision-making power. Instead, they simply follow the instructions given by the data controller. The processor’s role is more about execution than decision-making, ensuring that the data is handled exactly as directed by the controller.

When complying with legal obligations, the data controller has a hefty responsibility. They’re in charge of making sure all data processing activities comply with GDPR. This means they need to obtain consent, keep data accurate, implement protective measures, and handle requests from data subjects.

Conversely, the data processor’s obligations are a bit different. They must process data strictly according to the controller’s instructions, ensure appropriate security measures are in place, and assist the controller in meeting GDPR requirements. Essentially, the processor supports the controller in staying compliant with the law.

The data controller is primarily on the hook when it comes to accountability in data protection. They hold the main responsibility for ensuring compliance and can be held liable if there’s a breach.

However, data processors aren’t let off entirely. If they fail to meet their GDPR obligations, they can also be held liable. But, the overall accountability still rests with the controller, who bears the main burden of ensuring everything is up to standard.

Data governance implications for Australian Boards 

What are the implications for Australian directors contemplating the introduction of GDPR style privacy legislation in this country? There are several crucial areas of focus.

For Data Controllers, compliance and risk management are top priorities. Board directors must ensure the company has robust policies and procedures in place to comply with GDPR, including Data Protection Impact Assessments (DPIA), managing data subject rights, and having Incident Response Plans (IRP) ready to go.

Another essential aspect is appointing a Data Protection Officer (DPO) or similar if required by the Office of the Australian Information Commissioner‘s (OAIC) Privacy Commissioner, Carly Kind. This DPO type role would oversee all data protection activities and ensure the company stays compliant.

Data security measures are also critical. Directors must make sure the company invests in the right technologies and practices to protect personal data from breaches. This includes regular audits and assessments of third-party compliance when engaging data processors, ensuring data processing agreements are in place that outline the processors’ obligations and responsibilities.

Training and awareness are essential as well. All employees need to understand GDPR style privacy requirements and the company’s data protection policies, so regular training sessions and awareness programs should be conducted. Transparency and communication are equally important. The board should ensure the company is transparent with data subjects about how their data is used and maintain clear communication channels for data subject requests and complaints.

For Data Processors, adhering to controller instructions is paramount. Directors must ensure the company strictly follows the data processing instructions provided by controllers, as any deviation can lead to non-compliance and potential liability. Like data controllers, data processors must implement strong security measures to protect personal data, including encryption, access controls, and regular security assessments.

Establishing comprehensive data processing agreements with controllers is vital. These agreements should detail the scope, nature, and purpose of data processing activities and outline the processor’s obligations. Processors must also have procedures in place to promptly notify data controllers of any data breaches and be capable of responding quickly.

Finally, data processors need to assist controllers in fulfilling their GDPR style obligations, such as handling data subject rights requests and conducting data protection impact assessments. Regular training for employees on privacy requirements and the company’s data protection policies is necessary to ensure compliance and awareness.

Understanding the distinct roles and responsibilities of data controllers and data processors will soon be fundamental for data privacy compliance in Australia. For board directors, governing these business types involves ensuring robust compliance frameworks, effective risk management strategies, and ongoing education and training. By addressing these governance issues, companies can navigate the complexities of upcoming privacy legislation in Australia and uphold the highest standards of data protection and privacy.

Get in touch

If you need assistance navigating the privacy landscape or the current privacy and data governance posture for your organisation, please get in touch. We’d love to help

Contact

You might also like

View all insights