EFSS: Which companies are affected by the GDPR?

One of the first things that all companies should ask themselves is if and to what extent they are affected by the GDPR. In this blog post, we take a look at how the GDPR classifies companies and the responsibilities that follow.

The GDPR is far reaching, in the most literal sense, actually. Whether or not your company is located in the EU doesn’t even matter. The deciding factor is EU citizens. If your company offers goods or services to individuals in the EU, it is going to be affected by the GDPR. Regardless of whether company headquarters are located inside or outside the borders of the European Union.

So that’s that ain’t it?. Well, if we were to dig a little deeper, we might be able say something slightly more specific about companies and how they are affected by the GDPR.

Companies affected by the GDPR
The most important aspect to understand is that under the GDPR, companies are grouped in two separate categories. ‘Controllers’ and ‘Processors’. Which category your company is located in will determine what it takes to comply. In pedagogical terms, ‘controllers’ decide how and why personal data is processed. ‘Processors’, one the other hand, act on the controller’s behalf.

Companies that are considered ‘processors’ do the actual handling of personal data. This is the reason why the GDPR places specific legal obligations on processors. Most notably, ‘processing companies’ are required to maintain records of personal data and actual processing activities. Additionally, ‘processors’ face significantly more legal liability if responsible for a breach. These obligations for ‘processors’ didn’t exist under the Data Protection Act from 1998.

Obligations of the controller
Oh yes, life as a ‘processor’ isn’t easy under the GDPR, but isn’t exactly a cakewalk for ‘controllers’ either. Just because processors are responsible for processing activities, doesn’t mean that controllers can hang about. No, ‘controllers’ are definitely still affected by the GDPR. ‘Controllers’ face an obligation to make sure that their contracts with processors are in full compliance with the GDPR. When controllers appoint service providers to process their data, the service provider must only be appointed if the company is able to guarantee full compliance with the GDPR.

The GDPR imposes strict requirements on data processing agreements between ‘controllers’ and ‘processors’. These requirements are so comprehensive, that some have speculated the GDPR will make it difficult for ‘controllers’ to lawfully appoint ‘processors’. As a consequence, an increase in partnerships that are based on complex agreements and outsourcing might take place.

One final aspect to keep in mind: Almost each and every company is a ‘controller’. At the least in terms of controlling personal data that belongs to their own employees.

Three highlights:
– All companies that offer goods and services to individuals in the EU are governed by the GDPR.
– Companies are grouped in two categories: ‘Controllers’ and ‘Processors’. Processors face the most strict obligations in terms of keeping record of personal data and data processing.
– ‘Controllers’ must only appoint ‘processors’ able to guarantee lawful processing of personal data.