Roles Under GDPR: The Data Controller
Introducing the Data Controller
Who is this? Well, you, if you control personal data. The company that instigates the collection of the data and uses it for their own needs. You may use an online form built by Keap’s fabulous form builder to gather leads. In this instance Keap would be a data processor, but you as the ultimate owner & user of the data are the “Data Controller”. Articles 24-31 outline the responsibilities of the Data Controller. We have had clients say things like “I use Infusionsoft so I’m GDPR compliant.” This is not true. Infusionsoft’s GDPR compliance features make it one of the best solutions out there for handling business data. Plus it is an all-in one email marketing AND client relationship manager, reducing risks associated with moving data between systems. However, Infusionsoft is a GDPR compliant Data Processor. The burden of proof lies on YOU to show that you are a GDPR Compliant Data Controller.
Part of your responsibilities include ensuring that any data processors you use are compliant, operating under binding contracts. You must also appoint a GDPR representative inside the EU. You must also keep records of processing activities, (don’t worry we break this down into several easy steps.)
You must implement appropriate security measures. (Again we break this down also into manageable chunks and we include walkthroughs for incredibly useful technical compliance processes like obtaining a free SSL certificate from Lets Encrypt, traditionally a specialist field.) You must report on any data breach. In some cases you must notify the affected parties. Basically, as the Data Controller you are fully accountable for adherence to the data protection rights of subjects.