GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you were subject to the UK’s Data Protection Act, for example, you’ll likely need to be GDPR compliant, too.
“You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR,” says the UK’s Information Commissioners Office, the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data.
GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organisation be breached.
Controllers are also forced to ensure that all contracts with processors are in compliance with GDPR.
