The two parties in the realms of Data Security are “The Controllers” and “The Processors” of digital information. The Controllers are the entities that determine the methods and reasons for the processing of user’s data; i.e. any organisation – be it a company, a charity or a government entity. The Processors are the IT firms that actually, handle the technical function through which the data can be processed.
GDPR will affect all controllers and processors that handle the personal data of EU residents, regardless of whether the controlling or processing parties are based in Europe or abroad. As such the new law affects all online businesses and platforms that accept customers or members. The balancing act between controllers and processors works as follows:
- Controllers must ensure that their processors function in accordance with the new regulations
- Processors must make sure that their activities abide to the new law and maintain applicable records
Processors holds full and even partial responsibility for a data breach, and will be penalised much more strictly under this regulation than the pre-existing Data Protection Act. The actual source of a breach won’t even matter under the new law, as the processor will bear most of the blame.