Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

First, we will look at the Data Protection Officer. Small organisations who do not process a lot of data do not need to appoint a Data Protection Officer. A Data Protection Officer should hold relevant qualifications and have detailed knowledge of GDPR and they only need to be appointed if:

  • You are a public authority.
  • You regularly carry out systematic monitoring of individuals on a large scale.
  • Or if you carry out large-scale processing of special categories of data.

They cannot be in a position that determines the purposes and the means of processing data, they must be provided with adequate resources to perform their duties, they should report to the highest management level and must be fully included in all issues relating to the protection of personal data. A Data Protection Officer should never be penalised or dismissed for carrying out their duty.

The Data Controller can be an individual, organisation, company, agency, public authority or any other body that either singly or jointly determines the purposes and means of processing data.

The Data Processor can be an individual, legal person, organisation, company, agency, public authority or any other body that processes personal data on behalf of the controller. A typical example of processor would be for example an accountant who processes the payroll on your behalf. Or it could be an online system such as a Salesforce who provide an online service but do not make any decision about the data you enter. A processor doesn’t have any control over the data or make any decisions about how they process the data, they just process it.

It is possible to be both a Controller and a Processor for different things, but where decisions are being made about the means of processing the data this would be the job of a controller.