A Match Made in the Cloud: The Data Controller and the Data Processor
The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Most notably, the GDPR gives individuals more control over their personal information, and it requires that companies be clear about why they are collecting information. Under the GDPR, corporations that access customer information are defined as a controller and/or processor. Any corporation that does business within the EU or with EU citizens or residents must comply with the GDPR, even if it is based outside Europe.
What’s the relationship between controllers and processors?
The controller is the person, company or agency which determines which data will be collected, from whom and for what purpose. The controller also determines where and how personal data is stored and managed. The processor is the person, company or agency that processes data on behalf of a controller. In effect: the controller is looking for data storage, and the processor provides the storage. But both are subject to the GDPR.
In most circumstances, controllers will upload data to a processor. The processor will then process the data and store it in the cloud. Because the controller retains control over the data, trust in the processor is essential.
Here are some questions to consider:
- Do you know where your processors’ servers are located?
- Does your processor comply with the GDPR?
- Are their cloud processes secure? Can they prove this with third party audits?
- Is your processor WebTrust certified? Are they SOC2 compliant?
Controllers must also be clear about data retention policies. Individuals must know how long their data will be kept, and data cannot be held longer than necessary. At the end of that period, all data must be destroyed. Processors who store data in multiple systems must have procedures in place to ensure that it can be deleted.
As a data processor, Echoworx only delivers mail to end users. We store all emails in encrypted form, and delete them promptly. We’re in full compliance with the GDPR.
What does this mean to me?
There are many instances where organizations might encounter touchpoints in the controller/processor relationship. Take banking, for example: You might be a big bank who simply has too many customers to provide reliable and effective data encryption in-house. Your bank signs a contractional agreement with a third-party encryption provider to encrypt and send high volumes of secure financial statements. Since you retain control over customer contact and statement details, your role in this relationship is that of a data controller – whereas the third-party encryption platform, which processes the data for secure transit, is the data processor.
Ultimately, you are responsible for ensuring the safety of sensitive customer details – from something as simple as their address to something more complex like their financial history. And, under regulations like the GDPR, and even newer regulations, like California’s AB 375, you are also responsible for ensuring your third-party processors abide by your security standards.
To help establish a baseline of what is needed, you might consider investing in a third-party cybersecurity audit – here’s what you need to know.
Cybersecurity Leadership Exchange Forum (CLX Forum) provides additional insight
A substantive discussion of the GDPR and its implications is provided by the CLX Forum, a Canadian thought leadership community, in their book Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives. Among many interesting observations, Edward Kiledjian, VP Information Security, Compliance and CISO at OpenText, discusses the question of who owns personal information. While this has yet to be settled in North America, the GDPR is clear that in Europe, private citizens now own their data. At any time, an EU citizen can revoke an organization’s right to store his or her personal data. And if an EU citizen asks an organization to destroy data, the organization must do so within one month. It’s also important to note that previously collected data is not exempt from these regulations. If your organization has collected data from EU residents in the past, controllers must obtain consent for current use of that data. 
Another important aspect of the GDPR is that its regulatory agency is actively testing security. As part of this process, it is also measuring how companies respond to attacks. As Amir Belkhelladi, Partner, Risk Advisory, at Deloitte Canada, points out, corporate boards are now directly accountable to the GDPR regulatory agency. Boards must understand how data is collected, used, stored and destroyed. They must also ensure that management is following these new regulations. 
Fines with teeth
Before the GDPR, companies worried mostly about the reputational impact of a cybersecurity breach. Now, in addition to expensive brand damage, there are serious financial implications for security failures. Companies that don’t adequately protect data can face fines of up to 20 million Euros, or 4 per cent of their global annual revenue, whichever is higher. Companies have just 72 hours to report a breach, and they are required to notify customers “without undue delay” after becoming aware of a breach.
Companies that do not provide goods or services to EU residents are not required to comply with the GDPR. But GDPR protocol also applies to EU residents living abroad and for companies who hire third parties with connections to EU countries. For those that continue to do business in Europe, privacy by design will become their new watchword. Organizations must ensure their systems meet these stringent standards. Will some small organizations decide that they can no longer do business with EU citizens? Almost certainly. But for every organization that does operate in Europe, compliance should be mandatory. And since GDPR is the most stringent set of privacy regulations ever enacted, companies that do comply can be assured that they are covered worldwide.
By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx
 CLX Forum, Chapter 12, “General Data Protection Regulation (GDPR)”
 CLX Forum, Chapter 3, “Coaching Your Board and Leadership Peers on Cybersecurity Issues”