Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR

Abstract

Modern enterprises increasingly purchase and deploy products and services from third parties that collect data as part of providing the services. In this context, there is a common belief that the enterprise must be the “data controller” (in the terminology used in European data protection law), and the third-party provider must be a “data processor” acting on behalf of the enterprise. However, such a blanket rule is neither required by the law nor reflective of reality. There are many instances in which a third-party provider acts in whole, or in part, as a data controller. While the characterization of the third-party provider as a controller or a processor has certain legal ramifications, the difference may be less significant under the General Data Protection Regulation (GDPR) than under prior European data protection law. Legal compliance, risk mitigation, and appropriate protection of personal data can be achieved whether using products and services provided by data controllers or data processors; and there are pros and cons to each approach. This paper describes the data protection obligations on organizations that purchase and deploy products and services that collect and transmit data to a third-party provider. For each obligation, it will discuss the similarities and differences (if any) in those obligations between those cases where the data is collected by a data processor and those where the data is collected by a data controller. This paper focuses on those obligations imposed by the European GDPR; but because many of the principles and obligations occur in other privacy laws around the world, many of the conclusions can be generalized for global approaches to compliance.