In this video I want to address
- what it means to be a Controller of Information and the Processor of Information
- why it’s important to make sure that people you work with (i.e. share the information that you have collected or those who have access to it) are also GDPR compliant and have their Privacy Policies and practices set up so they are compliant.
A quick refresh
GDPR are the General Data Protection Regulations that are now enforced by the EU and is a peak body in relation to the collection of private information by businesses for necessary purpose either to conduct their business or for marketing purposes.
Data Controller vs Data Processor
Its really important to understand the meaning of Controller and Processors – as these two roles are the main focus of the GDPR.
You as a small business are the Controller of information in the first instance – you control the means of collection of private information and the purpose for which it is collected. – the purpose by the way – has to be a legitimate purpose (another lives another time)
Sometimes you will be both the collector and you will process the information yourself. Other times you will hand over control of that information to an outside provider to use that information for a particular purpose – and this is usually for marketing and research purposes.
When you hand over control to another party – they are the Processors of Information. These other parties are also third-party service providers in relationship to your business. The first party is you, the second your client or website user/data provider and the third party is the processor who you have handed the control of the information you have collected.
So how can you ensure that the third-party processor such as a CRM you are using or email marketing software is GDPR compliant.
There are some very simple steps to keeping a handle on this stuff.
- Make a list of all your processors. Providers like email marketing software, accounts software, cloud storage, CRM etc, marketing agencies, website developers – anyone who processes personal data under your instructions.
- Do some checking on all of your processors to see what they are saying about complying with GDPR.
- Make sure that you have a written Processor Agreement with all of your processors that contains all of the required provisions as set out in GDPR.
The big companies’ eg Mailchimp, they will have their own Processor Agreement incorporated into their terms of business). If your processor is smaller (such as a virtual assistant), then send them your own Processor Agreement.
The obligation is on you as the data controller to make sure there is a Processor Agreement in place.
- Work out whether each of your processors is based outside of the EEA or is transferring data outside of the EEA.
Mark where they are located and do they fall into one of the following categories:
- Processors located in the European Economic Agreement
- Processors located outside the EEA and the US but considered “adequate” in their data protection practices by the European Commission.
- Processors located in the US – are they registered on the EU/US Privacy Shield list – you can check on the Privacy Shield Database to see if the company is listed.
As part of GDPR, we all need to be more vigilant about what personal data we are transferring and put in place safeguards to protect people’s personal data.