Understanding your company’s role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR.
Obligations under the GDPR vary depending on whether the Company is a data controller, data processor, or a joint controller or independent controller (we’re going to focus on controller vs. processor here). The data controller is the main collector of the data - The controller determines why and how to collect the data.
Companies are data controllers for their business contact data, employee information, or email marketing data. The data processor is an entity that stores, manages, or processes personal data on behalf of the controller.
Customer Relationship Management (CRMs) are data processors - same with email marketing platforms, cloud storage, or accounting software. They have a lot of data - but they work with that data on behalf of another entity. (The CCPA - California’s data privacy law - calls these two roles “Business” and “Service Provider,” instead of “controller” and “processor”)
A simple example of this distinction is a company and its online payroll processor. The company sets the salaries, makes hiring decisions, and tells the payroll company when to pay its employees, when people are hired or fired, etc. The payroll company provides a software platform and stores the employees’ data. The company is the controller of that data and the payroll service is the data processor.
Lots of companies can be controllers for some data and processors for other data (most companies are at minimum controllers for their employee information). Why is this important? Controllers and processors have different obligations under the GDPR - but that’s for another video.