GDPR is here – do you know whether you are a data controller or data processor?

Collin Stewart, CEO
4 June 2018
The following is a guest post by Daniel Barber, Co-Founder and CEO of the software compliance firm, DataGrail.
As of May 25, the oft-discussed, headline grabbing, and (for some) nerve-wracking General Data Protection Regulation (GDPR) came into effect.

And, if you do business in the European Union, there’s a lot to know.

This legislation, in one way or another, touches nearly every corner of a company – from sales and marketing, to customer success, to IT. I’ve written extensively on the basics of GDPR: you can check out a couple of my posts here and here.

(Editor’s note – you can listen to our lengthy chat with Daniel on the Predictable Revenue Podcast here as well.)

But as I continue to work through the legislation – and, for that matter, grow my company DataGrail to help companies navigate it – I think it’s important to clarify the roles of data controllers and data processors, both foundational concepts in understanding GDPR.

What is a data processor?

This is the easier of the two concepts to define. The data processor label refers to companies that store personal data on behalf of their customers.

The easiest examples of data processors are some of the tech industry’s biggest companies (and products): Microsoft Dynamics, Salesforce, and Amazon Web Services.

The key point here is that these companies, as it pertains to the data in their products, are not making any decisions. They are merely processing, or storing, their customer’s information.

What is a data controller?

Data controllers, on the other hand, are making decisions, and ultimately acting, on that personal data. For example, decisions are made by your sales or marketing teams – you have someone’s personal information, and the reason you have it is because you plan to get in contact in with them.

You may have bought a list, or you subscribe to one of the many data providers in the market. However, if you obtained and make decisions with the personal data, the key point remains: your interest lies in using that intel to market your product. Simply put, if you have a sales and marketing function, you are a data controller by default.

Now you may be asking, companies such as Salesforce, Microsoft, AWS, or a litany of other technology vendors, both process data in their products and have robust outbound sales teams tasked with selling that product. Can you be both a data processor and data controller?

Absolutely. In fact, most B2B companies are. And it is critical to understand your role in both worlds. I’ve spoken to a dozen companies, many massive in size, and I can tell you they believe they are GDPR ready. And I have to tell them, you actually aren’t – only your product is compliant. As a data processor, you’re okay. But as a data controller, unfortunately, you’re not.  Again, the crucial distinction is who makes decisions.

We worked alongside Gunderson, a leading law firm and experts in privacy law, to produce a video that reinforces the concepts of data processor and data controller: check it out here.

A touch of grey

As with all new pieces of legislation, there are some grey areas to be aware of. Chief among those still-to-be-defined concepts is when a product – a piece of technology itself – behaves like both a data controller and a data processor.

For example, marketing automation tools such as Marketo perform clear data processor function: people (marketers) supply it with information, and it houses that data for them. A straightforward case, to be sure.

But Marketo, because of features such as lead scoring, also makes decisions like sending emails to individuals based on the data it processes. How this grey area plays out as GDPR legislation continues becomes entrenched remains to be seen.

Why is this important?

Of course, understanding these definitions is critical because, depending on the role(s) your company plays, you will have to comply with the regulations set out in GDPR legislation.

Generally speaking, processors only have to comply with the obligations under GDPR that apply specifically to processors. And processors generally have fewer compliance requirements than controllers.  

The same goes for controllers. However, if you are both a processor and a controller (you process personal data for your customers, and market directly to potential customers), you will be treated as a controller and you will be subject to the requisite compliance obligations.

For instance, controllers can receive either a Subject Access Request or a Deletion Request. If you receive a Subject Access Request (SAR), you will have 30 days to prepare all the data you have related to the individual, including any third-party systems.

This process is similar for Deletion Requests, however in B2B contexts, this can prove quite challenging. A contact’s personal data might live in cookie networks. For example, if you are using AppNexus, that data may have been shared with 10 other processors. 

That same data may also have been shared with Marketo, Outreach, and a host of other sales and marketing tools. Your legal obligation is to remove a requester’s personal data from all of the data processors you have relationships with.

In addition to the controller requirements, as a processor, you can be served SARs to comply with your customer obligations in processing their data. This involves querying internal systems and establishing a workflow to distinguish between the two types of requests.

As you can see, these requests can create a matrix of problems. For now, we’re only discussing legislation for residents of the EU.

However, it’s safe to assume that more is coming. Similar rules will, at some point, come to North America.

Marc Benioff of Salesforce shared this sentiment: “You can see it’s going into effect in Europe with GDPR. That means in Europe your data belongs to you, but in the United States, your data belongs to all these companies that are collecting it, and they can do with it basically whatever they want. That’s a shift we have to make. You can see that’s about to happen in California where I am from. There is a statewide privacy law that is moving its way to voters. But what we need is a national privacy law.”

By approaching the GDPR in a proactive way, and fully understanding the different roles we play and the different requests we may receive, we’ll be ready.

Disclaimer: Please be advised that while DataGrail and Predictable Revenue are committed to providing helpful and tactical information, we are not lawyers and any information posted here should not be construed as legal advice!

Please consult your own legal advisors on the matter and ensure you have proper protection in place. Any decisions you make that impact your outbound processes should be double checked by a qualified licensed professional and are done at your own risk.