Who owns the personal data you collect from users?
From Facebook to fitness apps, our personal data is harvested nearly everywhere we turn. But who really owns this data and why does ownership matter?
Understanding the General Data Protection Regulation (GDPR) can take time, especially with the introduction of new terminology and concepts. With a business that may be subject to GDPR law, it helps to understand these news concepts to ensure your privacy practices meet the established criteria.
Today, we’re looking at what the regulation means when they say data controller — what function they perform in the handling of personal information and what their role is in the context of user privacy.
A data controller is a person or organisation who controls the purpose of and means by which personal data is processed.
So, if you (as an individual) collect and store personal data, you are a data controller. If your business collects and stores personal data, your business is a data controller. Data controllers are tasked with ensuring that personal information is being processed lawfully and in accordance with the GDPR’s data protection requirements.
The GDPR also mentions “joint controllers”, which is a collective term for two or more organisations making joint decisions over data processing. Joint controllers must create a formal agreement that outlines each party’s responsibilities for compliance.
The term “data controller” is used to broadly identify people and organisations who must comply with the GDPR, whereas a data protection officer (DPO) is the formal job title given to someone who has been specifically hired to carry out these obligations.
A DPO’s role is to oversee data privacy, demonstrate compliance, advocate for and assist data subjects in exercising their rights. There are three instances in which data controllers must appoint a DPO: