Personal information: Do you know your role?

The termcontroller “andprocessor The terms “controller” and “processor” of personal informationare increasingly present in both legal and information security news these days. Due to the significant increase in the number of scandals linked to data abuse by technology giants and, on the other hand, the media attention given to the implementation of new laws, regulations for security measures for the protection of personal information data.(Such as the General Data Protection Regulation – GDPR or the new Quebec version of the Personal Information Protection Act)

Today, all organizations that hold personal information, whatever their nature, must be concerned with the management and protection of this data.

At a time when data is the most precious commodity, personal information is increasingly accessible, available and in astronomical quantities, and people are rightly concerned about it!

ISO/IEC 27701, published in 2019, proposes a model for corporate governance of personal information for both controllers and processors. The standard provides guidelines for the implementation, maintenance and continuous improvement of a personal information management system. (PIMS – privacy information management system)

Role example

For example, if a company offers a SaaS service on a cloud platform such as AWS, the SaaS company is the controller, since it collects personal information and decides on the processing and measures to be implemented. AWS is the processor, as it does not dictate any security measures, but rather executes the requirements of the SaaS form. The SaaS company has the choice of determining the purposes and means of processing to be implemented within the services offered by AWS.

Definitions:

These definitions taken from the General Data Protection Regulation(GDPR) the law in force in Europe.

Controller : “Data controller” is a natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal information.

Processor : data controller as a natural or legal person who processes personal information on behalf of the controller.

You are the controller of the data if you decide :

• Collect personal information from your customers, site visitors and other targets.
• Collect what;
• Change or modify the data you collect;
• Perform data processing or analysis;
• Where and how to use the data, and for what purpose;
• Keep data in-house or share it with third parties;
• How long data is kept, and when it should be deleted.

You are the processor if you act on behalf of the data controller, or perform some of the following tasks:

• Provide controllers with processing tools (disk space, memory, processing capacity, etc.).
• Design, create and implement IT processes and systems according to the controller’s instructions, which would enable the controller to collect personal data;
• Use tools and strategies to collect personal data on behalf of the controller;
• Implement security measures to protect personal data in line with the objectives of a controller;
• Operate systems for third-party controllers such as MSPs (Managed Service Providers).
• Store personal data collected by the controller;
• Transfer data from the data controller to another organization and vice versa.

Note that ISO 27018 concerns cloud processors only(Amazon, Azure, Google, OVH, R2i) and ISO 27701 concerns the role of controller as well as processor.

To make things a little more complex, there are also “joint controllers” who share responsibility for a data controller.

It is therefore possible for a company to act as both a controller and a processor, and it must therefore ensure that it complies with both control guides in order to properly protect personal information. Nevertheless, defining the types of data under its responsibility provides a clear vision of its risks and obligations towards the “people” to whom this personal information belongs.

Source: