Understanding your company’s GDPR risk exposure is essential. To this, it is often helpful to identify how regulators would categorize your company.
In other words, are you a controller or a processor?
A “controller” is the party that ultimately owns the relationship with the consumer and determines what happens with their data. A “processor” is the party contracted by the controller to execute its decisions with regard to consumer data.
For example, imagine an insurance company that represents EU citizens. It collects information from its customers and emails them from time to time. To do this, the insurance company uses an Email Service Provider (ESP). The insurance company is the controller and the ESP is the processor.
Under GDPR, most of the regulatory onus is on the controller. But there are some obligations that processors must meet as well.
In many cases, controllers are liable for the actions of their processors. Companies must ensure compliance across all vendor relationships that manage data in and out of EU sources.
In turn, processors can get their clients (and themselves) into very hot water with GDPR violations. They must understand their responsibilities and in fact can gain a competitive advantage by demonstrating their GDPR preparedness as full implementation of the rule approaches.