Who are the key players in the data protection framework?

The whole notion of GDPR covers personal data, its processing and storage while ensuring transparency of its use. For the enterprises involved in upholding these obligations, compliance requires an understanding of where you fit in the data ecosystem.

The key players are; Data Controllers, Processors, Sub-Processors and Data Subjects. Also, Supervisory Authorities in each EU country play an important role in monitoring and enforcing the legislation. For example, in the UK this organization is called the Information Commissioners Office.

The supervisory authority most likely to monitor your compliance is in the country where your “main establishment” is located and “central administration” takes place. Both Data Processors and Data Controllers will be jointly, and separately responsible for compliance with the new GDPR regulation.

Within the enterprise messaging industry, understanding these roles is crucial since the value chain is complicated, and for the first time Data Processors will be placed under a direct obligation to comply, something which previously only applied to Data Controllers. So as both parties will be found in breach for non-compliance, it’s vital to know where you fit in this framework.

To add a little confusion, it should be noted that enterprise messaging companies can be regarded as Data Processors, Data Controllers and Data Sub-processors all at the same time. They are Data Controllers in their role of storing employee and customer information, but they could be a Data Sub-Processor if their relationship is with a Data Processor rather than with a Data Controller directly.

A Data Controller is the entity that has a direct relationship with the Data Subject and determines the purpose, conditions and means of processing of personal data i.e., businesses sending or receiving messages from their customers. Data Processors are the companies that deliver these messages on behalf of the controller – from bulk SMS providers, through to more sophisticated CPaaS providers like CLX.

Consumers have the right to refuse to become a Data Subject, which opens up the issue of informed consent. GDPR requires gathering multiple consents, and giving individuals the right to withdraw consent from a service at any time.

Consent should be informed, so that a person can understand what they are signing up to, and it must be unambiguous.

Consent should always be explicit. Data Processors do not require explicit consent from the consumer, providing the Data Controller has received the appropriate consent. They have the legal right to process this data in order to undertake ‘performance of a contract’.

Need to know more? Download the full CLX Guide to GDPR and Enterprise Messaging here.

Originally published by CLX Communications