Data Controller VS. Data Processor and ISO/IEC 27701

In our digital age, where data breaches and privacy concerns are more prevalent than ever, the roles of data controllers and data processors have gained significant importance. This surge in relevance is attributed to high-profile data breaches and the increasing attention to data privacy laws like the EU General Data Protection Regulation (GDPR). 

A recent article on Security Info Watch reports a massive data breach, termed a "supermassive leak," involving around 26 billion records from numerous popular websites across various countries. This breach encompasses 12 terabytes of data, including records from LinkedIn, Twitter, Weibo, Tencent, and other platforms. 

In this context, the ISO/IEC 27701 standard is a crucial tool for organizations handling personal data, guiding the implementation and improvement of Privacy Information Management Systems (PIMS).

What is a Data Controller?

A data controller, as defined by regulations such as the GDPR, is an entity (individual, organization, or authority) that determines the purposes and means of processing personal data. 

They are responsible for obtaining data subjects’ consent, managing data access requests, and ensuring the clarity and legality of data collection purposes. As privacy laws evolve, data controllers are expected to provide more stringent consent management and enhanced transparency in data processing.

The main responsibilities of the data controller are:

• the collection of the data subject's consent
• revoke requests from data subjects
• the accessibility of the information from the data subjects based on the right to information
• the permission and unequivocal statement of the reason for the collection of the data

The regulation that truly popularized the term “data controller” was the GDPR. Article 4 of the GDPR is essential for legally establishing the boundaries and roles of Data Controllers. It defines a 'controller' as follows: 

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”

What is a Data Processor?

Right next to the definition of “controller”, in point 8 of Article 4, the GDPR defines the meaning of “processor”:

“‘'processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

A data processor is a key player in the data privacy ecosystem, typically an external entity that processes personal data on behalf of the data controller. Unlike the controller, the processor does not have autonomy over the 'why' and 'how' of data processing; instead, they act under the instructions and guidelines set by the controller. 

Their responsibilities have grown significantly due to modern privacy regulations like the GDPR. Data processors are tasked with implementing robust security measures to protect data, maintaining records of processing activities, and ensuring that any data processing is conducted in full compliance with the established privacy standards. They must also be prepared to assist data controllers in responding to data subjects' requests and in conducting impact assessments. 

With the rise of cloud computing and third-party service providers, the role of data processors has become more prominent and complex, requiring them to demonstrate a high level of diligence and compliance expertise in handling personal data.

Understanding the Roles: Data Controller vs. Data Processor

The roles of a data controller and a data processor, though interrelated, are distinctly different in the realm of data privacy. 

The data controller is the entity that determines the purposes and methods for processing personal data. It makes key decisions about data handling and bears the primary responsibility for the data. 

On the other hand, the data processor acts under the direction of the controller, handling the actual processing of data as per the controller's requirements.

Illustrative Example:

Consider Company A, a data controller, collecting personal information for marketing. Company A decides why and how the data should be collected, ensures compliance with privacy laws, manages consent, and handles requests for information access or data deletion. To facilitate its marketing efforts, Company A contracts Company B, a specialist in email marketing and customer communication. Company B, as a data processor, handles the technical aspect of sending out marketing emails to clients but does so under the guidance and rules set by Company A. In this dynamic, Company A must ensure that Company B complies with all relevant data protection regulations, such as the GDPR. 

ISO/IEC 27701: Bridging the Gap between Controllers and Processors

ISO/IEC 27701 stands as a pivotal standard in the realm of data privacy, offering a comprehensive framework that serves both data controllers and data processors. This standard is designed to enable organizations, regardless of their role in data handling, to establish, maintain, and continually improve their Privacy Information Management Systems (PIMS). 

What makes ISO/IEC 27701 particularly significant is its alignment with the GDPR and other global privacy regulations. This alignment ensures that organizations adhering to the standard are not only compliant with one of the most stringent privacy laws but are also well-positioned to meet various international privacy requirements. This is crucial in an era where cross-border data transfer and global digital operations are commonplace.

For data controllers, ISO/IEC 27701 provides a clear roadmap for determining the scope and purpose of data processing in a way that respects privacy rights and complies with legal obligations. It guides controllers in implementing processes for obtaining consent, managing data subject rights requests, and ensuring transparency in their data handling activities.

For data processors, the standard outlines how to process data safely and securely on behalf of controllers, ensuring that all processing activities are in line with agreed-upon requirements and privacy norms. It emphasizes the need for robust security measures, regular audits, and thorough documentation, all of which are essential for maintaining the trust of controllers and the individuals whose data is being processed.

Additionally, ISO/IEC 27701 acts as a bridge that enhances the collaboration between controllers and processors. By having a common standard to adhere to, both parties can work more cohesively, ensuring that privacy considerations are seamlessly integrated throughout the data lifecycle. This not only streamlines compliance efforts but also fosters a culture of privacy and accountability within the organization.

In conclusion, the distinction between data controllers and processors, and the integration of standards like ISO/IEC 27701, are more critical than ever in the ever-evolving landscape of data privacy. As organizations navigate through the complexities of modern data regulations, understanding these roles and adhering to international standards becomes imperative for effective data management and privacy compliance. 

How Can PECB Help?

PECB's ISO/IEC 27701 Training Courses are specifically designed for individuals seeking to deepen their understanding and skills in privacy information management. These training courses offer an in-depth exploration of the ISO/IEC 27701 standard, equipping participants with the knowledge needed to effectively implement and manage a PIMS within their organizations. 

PECB’s expert-led trainings provide practical insights and real-world applications, ensuring that participants are well-prepared to navigate the challenges of data privacy and compliance. By completing this training course, individuals not only enhance their professional capabilities but also position themselves as valuable assets in the evolving landscape of data privacy management.

About the Author

Vlerë Hyseni is the Digital Content Specialist at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her at: content@pecb.com