The General Data Protection Regulation clearly outlines a distinction between controllers and processors for clear identification. The distinction exists because not all organizations dealing with personal data have the same degree of responsibility.
That said, GDPR defines a controller as “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Data Controllers are organizations that take all the decisions of the data processing activity. They exercise their control over the processing of personal data that is collected and are ultimately in charge and responsible for the legal processing activity.
A controller can be any business, organization or any legal entity, or even an individual as outlined in the GDPR Regulation. However, it is important to note that individuals processing personal data for personal activity cannot be considered as a controller and are subject to the GDPR Regulation. It is also important to note and understand that some controllers under the legal obligation (Section 6(2) of the Data Protection Act 2018) who are required to process personal data are also considered controllers and need to comply with GDPR.
Organizations who are considered controllers, as defined by GDPR, are required to comply with the GDPR Regulation and must demonstrate compliance with the data protection law and principles. They are required to take appropriate measures to ensure that the processing is well in line with the GDPR Regulation.
For organizations that need guidance in understanding the regulation as a Data Controller or Data Processor and looking to achieve compliance, VISTA InfoSec can provide you the right direction. Our compliance experts can work with your team and guide your organization in the implementation of measures to ensure compliance. For more details about our GDPR Services or about the GDPR Regulation you can drop us a mail with your query at info[a]vistainfosec.com