So we’ve talked data processors. We’ve discussed data subjects. Let’s get onto the data controller because in a newsroom context that’s probably you, right?
Here’s a few points from the good people at the ICO:
A controller determines the purposes and means of processing personal data.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
However daunting the new GDPR may seem, it’s worth noting that this isn’t so much a revolutionary piece of legislation as it is an updated one. The concept of a data controller hasn’t changed under GDPR, so if you were one under the DPA, nothing will have changed in this regard.
How are they different to the Data Processor?
The Data Controller is the person – or organisation – which collects or holds personal data. They’re the ones issuing the instructions on how that data is used, for example, for payroll, mailing lists and newsletter, in on-site comment forms and boxes and analytics tools and suites (to name but a few).
Is it possible to be both?
Quite possibly. Small organisations in particular might be both holding and processing data, for example in-house payroll systems, or newsletters, but it’s likely that if you’re a newsroom you might be using some kind of tool from a third party which processes data in some way – be it for newsletter distribution, commenting or analytics tools.
What kind of data are we talking about in a newsroom context?
There’s a lot of personal data in newsrooms these days. With the advent and increase in reader revenue, more ways for users to interact with content and more platforms which that content can be accessed, the newsroom has changed enormously in scope and as such there’s significantly more potential for data breaches to happen than when the original Data Protection directive was brought into effect in 1995.
How about third party tools?
Most newsrooms use some kind of tool in the course of their day to day workflows – the editorial analytics package we provide here at Content Insights is one such example. Whether it’s CI, Google Analytics or even a commenting tool such as Disqus, they’re all classified as data processors, because they’re engaged to work through the data that the data controller (ie the newsroom) gives them to work with.
Just because the newsrooms have outsourced these processes to these third parties, doesn’t mean they’ve absolved themselves of the responsibility for that data: quite the contrary, in fact. The GDPR makes it clear that the buck stops with the Data Controller, so it’s in their interests to make sure everyone – at all levels – is compliant.
I just got an email from @disqus about a data breach, reminding me once again that newsrooms need to be thinking about reader privacy.
— Josh Stearns (@jcstearns) October 12, 2017
Go ahead and scare me with some figures then…
OK… Organisations in breach could be fined up to 4% of their annual global turner, or €20 million (whichever is greater, naturally). That would be for the most serious infringements of the GDPR, but there is a tiered approach to fines. It’s important to note that these rules apply to both controllers and processors.
This is a big change from the preceding legislation. To take the example of TalkTalk, the telecommunications company, was fined £400k for data security breaches back in 2016, but if this case had been heard under GDPR that figure would have been closer to £59 million (and possibly higher still).
While experts reiterate that GDPR is not about financial penalties, those in the know – like Roger Rawlinson of NCC Group’s Assurance Division – say that “this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.” Take heed one and all.
Who’s responsible if there’s a data breach with a third party tool?
Well, this is where accountability has stepped up a notch with GDPR. Unless there are specific arrangements with the data processor, the data controller will still be held responsible for any data breaches that happen with their data. What does this mean in practice? Well, it clearly encourages everyone to know exactly what data they’re holding, who has access and if those third parties have got the necessary GDPR safeguards in place. Check.
What you need to be aware of is that the guidelines here are significantly more stringent than they were before: the impact of GDPR is likely to be challenging because of the new, stricter deadline of 72 hours that data controllers now have to identify, review and report data breaches.