Home Data-Driven Thinking GDPR: The Controller Vs. Processor Hot Potato Could Hurt Consumers

GDPR: The Controller Vs. Processor Hot Potato Could Hurt Consumers

SHARE:

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Travis Ruff, chief information security officer at Amperity.

With much anticipation, the General Data Protection Regulation (GDPR) is here.

As it takes effect there is still a debate about which organizations are controllers vs. processors, what type of companies must get consent and when, and how consent risk should be managed.

The crux of the debate is the definition of controller vs. processor. GDPR defines the controller as the entity that determines how personal data is processed. It defines the processor as the provider of processing services, as dictated by the controller.

These definitions seem straightforward and avoid the pitfalls that generally complicate this debate, including who has the direct interaction with individuals and who stores and maintains the data.

I will not attempt to clarify or narrow these definitions as they work on both a macro and a micro level. What is fascinating about this debate is that it misses the most important point: This is less about a strict definition of controller vs. processor and more about where responsibilities lie in the relationship between the two.

If, as a data controller, I ignore due diligence and contractual requirements and enter into agreements or share data with third parties that I cannot trust to meet the limits of GDPR’s required processing and data protection, I should rethink and likely terminate those relationships.

If, as a processor, I knowingly or unknowingly perform processing activities beyond the scope of my agreements, I am ignoring both the letter and spirit of the law. The agreement between controller and processor must clearly define all of these requirements, including when a controller wishes to transfer risk to a processor.

As evidenced by Google, controllers are attempting to transfer to processors the key risk of consent. The benefits of transferring consent seem clear: The controller assumes no responsibility in the handling of data because their third party must gain consent. If a third party fails to get consent, it would be found at fault and answer to the data protection authorities.

I struggle to believe that this is actually how any reasonable case would play out.

The controller directs how data is collected from individuals. If it relies on a third party to get consent from individuals but fails to do so, there is no get-out-of-jail-free card to play; both will be held responsible because there is no effective way to transfer 100% of the risk.

Should transferring consent responsibilities and risk to a third party even be considered? In even the simplest ecommerce, retail, hospitality and travel environments, individuals’ data may be shared with multiple third parties.

In this scenario, is pushing consent activities to each third party desirable? Will five, 10 or more third parties reach out to each customer to independently gain consent? What is the benefit, especially when data-sharing obligations are factored in?

From the perspective of a controller, the benefits of gaining consent for all processing activities in a single, unified location gives it direct oversight of consent, regardless of whether the data processing is performed by the controller or a processor.

From the perspective of a processor, the complexity of obtaining consent grows exponentially. The processor must have sufficient personal information in order to get consent from an individual for processing. This involves a data transfer from the controller to the processor. Must the controller get individuals’ consent before transferring data to the third-party processor? A chicken-and-egg scenario may play out.

A processor will also likely hold an individual’s personal data from multiple controllers. If consent is managed at the processor level, is consent granted universally by an individual or is consent granted for only a specific controller-to-processor relationship, and thus a processor must reach out multiple times?

A goal of GDPR is to give individuals more control over the use and sharing of their data. But if forcing individuals to manage consent with 200 processors and 20 controllers instead of only the 20 controllers driving data activities, I would argue that the goal will not be achieved. In fact, individuals’ effective control of their data use and sharing may be diminished from where it was with existing laws, including the Data Protection Directive.

Follow Amperity (@amperity) and AdExchanger (@adexchanger) on Twitter.

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.