WTF is a data controller vs. data processor?
Sharing data between businesses has become a legal minefield since the arrival of the General Data Protection Regulation last May.
The U.K. data protection regulator, The Information Commissioner’s Office, has sought to shed light on a remaining gray area: the contractual agreements a data controller should have with another independent data controller when sharing customer data. Last week, the regulator issued an update on its data-sharing practices to bring them in alignment with GDPR.
Until now, there has been far more attention on agreements between data processors and controllers. The ICO has advised companies that are classed as data controllers under GDPR, to pay more attention to agreements with other controllers. But many businesses remain confused over whether they should be classed as a controller or a processor or both.
WTF is it all about? Here’s a primer.
Remind me what a data controller is.
A data controller is a business that has complete control over who or what can access its customer data, and decides what purposes those partners can use its data for. It is also responsible for gaining consent to use its customers’ personal data, from the customer directly.
What about joint controllers?
This is when two businesses have decided to take joint control in their data controller responsibilities and, therefore, also share equal liability. You can also have two separate, independent data controllers who have decided to work together (but not as joint controllers), which is what the ICO is referring to in its update.
And a data processor?
This is a business that only executes services on behalf of a data controller but has no say whatsoever in how that data is used and for what purposes. It is more like a technology facilitator, according to legal experts. “A processor only acts on the controller’s instructions,” said Sarah Williamson, partner at Ashfords Solicitors and specialist in ad tech law. “There are some decisions a processor might make, like the technical and security measures in terms of how to store that data. But they don’t decide to collect names and addresses from certain customers.”
Can a business be both a data processor and a controller?
This is where it gets messy, but, yes, they can. Though there is still a lot of confusion in this area. Some companies believe they’re both when they’re not, and others believe they’re just a processor when in fact they’re also a controller, according to GDPR lawyers. Obvious data controllers: publishers and advertisers. Less obvious data controllers who are also data processors: agencies or ad tech vendors that also retain that data for their own purposes and claim a legal basis for doing so.
How do you define which you are?
This is a classic gray area. Being a data controller doesn’t just mean a business that has a direct relationship with consumers; that’s just one factor. Some legal teams within publishers determine whether ad tech vendor partners who claim they’re only processors, are data controllers by asking them if they plan to retain the customer data after a termination of contract with the publisher. Or if they plan to return it. If the answer is the former, then they’re a controller as well as a processor.
OK, so what is the ICO update on controller-to-controller agreements for?
So much emphasis last year was on updating contractual agreements between data processors and data controllers because there was a lot more information within GDPR about specific requirements needed within those as well as joint controller relationships. Also, the mistrust in the digital ad supply chain meant that publishers weren’t confident they had visibility of how their ad tech partners would use their data — if for purposes outside of that publisher’s expectations for instance. In doing so, that publisher would land in hot water (though so would the processor.)
The result was that very little thought was given to what was needed between data controllers and other data controllers.
If data controllers don’t do this, will they be in breach of GDPR?
No. But last week the ICO made it clear that it recommends that data controllers do so, in order to demonstrate their accountability. In essence, it’s guidance for good practice, which will go down well with the ICO should they be required to investigate any GDPR breaches. But take a second-party data deal, which is all the rage between publishers and advertisers. This is a project between two data controllers — so in theory, a GDPR data-sharing agreement should come in so both sides are covered.
Why is this important?
When the ICO announced its intention to fine British Airways and Marriott hundreds of millions of pounds, it eroded any widespread complacency among businesses. That as long as they could show they’d put some effort into compliance, even if it was minimal, they’d be safe because the ICO didn’t want to resort to heavy fines. The size of the BA and Marriott fines even took GDPR lawyers by surprise. It has taught everyone not to be complacent. “It’s important to get it right, as then you can have proper clauses that correctly allocate liability,” said Kathryn Wynn, legal director at Pinsent Masons international law firm. “Otherwise, if Armageddon happens, you won’t be able to enforce it.”
Complex Networks plans to diversify its way through the pandemic
Complex Networks bills itself as one of the most diversified digital media companies in the business, so it’s counting on diversification to protect its business.
‘Rats out of the sewers’: Ad fraudsters are leaping on the coronavirus crisis
For ad fraudsters, the coronavirus pandemic is a crisis too tempting to go to waste. Website traffic is surging. But with advertisers adding coronavirus-related keywords to their block lists and others pausing spend altogether, ad prices on news sites are low. With less competition in the auction, low quality ads — and even publishers’ own […]
WTF are post-auction discounts?
Post-auction discounts let advertisers compete in the auction as if it bid $6 or $7 or more, but then benefit from a discount after winning the auction.
SponsoredRegulations are prompting publishers to develop new strategies around user log-ins
In a post-GDPR and post-cookie world, more publishers are making concerted efforts to explain the value of their content to users and increase the volume of consumer authentication.
Highsnobiety closes commerce, cuts 25% of staff
Highsnobiety was one of a few publishers who invested in product creation for its commerce business, rather than just peppering its site with affiliate links.
With billionaire backers, Time is still in expansion mode
Several publishers, including BuzzFeed, Group Nine Media and Vice, recently announced pay cuts and benefit reductions to their staffs. Time CEO Edward Felsenthal, on the other hand, not only pledged to his staff of 275 that the company wouldn’t have any layoffs for 90 days — and the company would continue growing through new hires […]