We’ve covered which businesses must comply with the GDPR, but who in the organization is responsible for maintaining compliance? There are two types of people who the GDPR mainly applies to: data controllers and processors. Also, anyone who was subject to the United Kingdom’s Data Protection Act is likely required to maintain GDPR compliance.
A controller is a person or entity that, by themselves or as a joint effort, determines the purposes of personal data, while a processor is a person or entity that processes that data on behalf of a controller.
According to the United Kingdom’s Information Commissioner’s Office, data controllers and processors have “significantly more legal liability” if they are responsible for a data breach. Maintaining compliance is a new obligation for them under the GDPR.
The GDPR requires processors to maintain records of how personal data gets processed, and it requires controllers to ensure that their processors maintain compliance.