Guest Blog: Who's responsible for GDPR?
This guest blog on GDPR comes from Alan Ballany of Culture Republic.
Alan is their Strategic Planning Director and his role focuses on technology and systems infrastructure, internal resources and workflow and team development.
Culture Republic is a Scottish-based organisation who work with artists, producers, cultural organisations and creative businesses who want to better understand their audiences.
In May 2018, the General Data Protection Regulation (GDPR) came into force across the whole of the EU.
Here, we’re looking at who’s responsible for ensuring the laws are adhered to, and who is liable when they are not.
Who's Who Under GDPR
The ICO have outlined and defined three parties that will be involved in a data processing operation:
- Data Subject A data subject is the person about whom data is being collected.
- Data Controller The data controller is the person or organisation that decides why personal data is held or used, and how it is held or used.
- Data Processor Any person or organisation that holds or uses data on behalf of the data controller is a data processor.
For example, a festival organiser may use an external provider to manage ticket sales. The ticket sales provider processes the data on behalf of the festival organiser. The ticket sales provider should also process the data exclusively for the purpose set out by the festival organiser. In this scenario, customers are the data subjects, the ticket sales provider is the data processor and the festival organiser is the data controller.
What's Changing?
These terms are broadly the same as before, but the responsibilities and obligations associated with each group of people are changing with the new legislation.
Previously, data controllers were the only partly responsible for enforcing data protection regulations, and were exclusively liable if they failed to be enforced.
The changes in the law mean that data processors will now also be held under certain obligations, particularly in areas of security, record keeping and international transfers. The changes also mean:
- There will be more rules for controllers and processors to abide by.
- Data processors could be as liable for breaches in data legislation as data controllers.
- The sanctions for failing to comply with the GDPR regulations will rise significantly. Where before the maximum fine was £500,000, now the fine can rise to whichever of the following is higher:
- 4% of worldwide turnover
- €20,000,000 (at the time of writing around £17,700,000).
In summary, the regulations are getting more complicated. In addition, more people are responsible for complying with them, and the penalty for not complying is significantly higher. It is vital that your organisation becomes compliant with GDPR well before May 2018 to ensure that there’s no chance of getting caught out.
Personalised GDPR Support
If you have a question that isn't answered above, you can leave us a comment below and we'll do our best to answer. We’re also offering bespoke GDPR workshops for cultural organisations, so please drop Úna an email if you're interested.