Am I the Data Controller or the Data Processor?
With new data privacy laws, like the EU’s GDPR and California’s AB 375, how you handle sensitive customer data is more important than ever – including how and where you store data. This is why understanding your relationship with your cloud provider is so important.
And there are two parts of the cloud relationship you should know: the ‘data controller’ and the ‘data processor.’
the data controller is looking for data storage. They collect data and own their data through a contractional agreements with their end customers. Data processors, in the context of the cloud, refers to the cloud service provider. In an ideal world, the controller uploads data to the processor who stores it.
In our increasingly private world, with steep fines for those who violate it, the controller needs to maintain control over their data. And this starts with trusting their cloud provider and having a Data Processing Agreement in-place ensuring data is relinquished upon request.
This trust starts with knowing exactly how and where the processor is storing data. Since a cloud is actually hosted on physical servers, the controller needs to ask questions like whether the processor is SOC2 or ISO certified for physical, system and operational security. Do they abide by the same privacy promises the controller is making to their customers?
At the end of the day, the controller is ultimately responsible for how customer data is stored, delivered – and breached. There need to be clear instructions dictated to the processor to follow in the instance of a breach and proper pre-emptive protocol needs to be in-place if the data is subject to specific geographical regulations, like the GDPR.