GDPR Controllers vs ProcessorsBrooke Isaacs
The General Data Protection Regulation (GDPR) has been the center of international attention in the world of privacy regulation since it was introduced in 2016 and enforcement began in 2018. If your business works within the European Union or with its residents, GDPR compliance should be top of mind when developing your strategy abroad.
Under the GDPR, people located in the EU gain more control over their personal data and how it can be used by commercial entities; all businesses that handle any personal data of a person located in the EU are subject to the standards in the legislation.
The GDPR requires that companies treat consumers with fairness and transparency when handling personal data, and provides a comprehensive list of expectations for compliant companies.
Businesses working with personal data in the EU are generally sorted into two main categories: controllers and processors. Figuring out which category applies best to your business can be confusing, but it’s important to get this right as there are category-specific compliance requirements in addition to the overarching regulations applying to all businesses. That being said, many businesses (including Twilio and Twilio SendGrid!) function as both controllers and processors.
What is the difference between a controller and a processor?
What is a controller?
The GDPR considers a controller to be “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This means that controllers control how the collected data is processed. In this context, processing refers to any set of operations that can be done to data, including accessing it, storing it, or transferring it. To put it simply, controllers make decisions about how data will be used and can use data for their own benefit. Processors operate only within the controller’s instructions, using data for the controller’s benefit.
For example, Facebook is a controller. It uses the data it collects for its own growth and algorithms.
What is a processor?
Under the GDPR, a processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This means that processors process the data specified by the controller, for the controller.
Twilio SendGrid functions as both a controller and a processor. We function as a processor when we handle data according to customers’ specific instructions, solely for their benefit.
The biggest difference between a controller and a processor is how they interact with the collected data. Controllers decide how and why the processing of data occurs, and processors do the actual processing of that data for the controller.
Data security and data protection
Both controllers and processors have an obligation under the GDPR to protect personal data. Article 32 of the legislation specifies what each party is responsible for and how they are expected to ensure compliance.
Article 32 provides suggestions for companies to implement security measures, including pseudonymization, encryption, and testing. Organizations are only required to test their measures when it is appropriate to the security risk.
On top of those requirements, processors are obligated to work only within the terms of their contract with the controller for processing data; if they act outside of those parameters (i.e. processing personal data beyond the scope of their work), they risk noncompliance and fines ranging from €10,000,000 to €20,000,000.
Controllers have an additional obligation to supply individuals with copies of their collected data upon request, as well as rectifying any incorrect information an individual may find. Individuals can also request that controllers delete their data altogether.
What about Twilio?
Twilio is both a processor and controller under GDPR standards. Our customers may act as either processors, controllers, or both, depending on the services they provide and how they process/collect data.
For those that do not comply with the GDPR’s standards, there are some serious consequences including heavy fines. However, there are several opportunities for organizations to receive warnings or formal reprimands before monetary penalties are put in place. Article 58 of the legislation lists the chain of command for issuing warnings, reprimands, orders, processing limitations, and fines. Details for how fines are determined are included in Article 83, and can cost an organization up to €20,000,000 (depending on the violation) or a “[percentage] of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
The GDPR can be complicated, there’s no denying it. To make our role as straightforward as possible, we’ve compiled a list of resources to explain how Twilio and Twilio SendGrid interact with personal data.
- Twilio’s GDPR resource page
- Twilio Legal’s Data Protection Addendum
- Twilio’s sub-processors
Keeping up with new privacy legislation doesn’t have to be difficult. For everything you need to know about the latest regulations, check out our GDPR guide.