The term data controller typically references the General Data Protection Regulation (GDPR) and its requirements for data protection; this role originated from European data protection laws. The GDPR necessitated data controllers when it laid down stringent requirements for personal data use in 2018.
Requirements for data controllers under the GDPR
The GDPR, which applies to not only the entire European Union but also to all countries that have businesses or customers in Europe, is specifically designed to protect individuals and their personal information. Therefore, it is extremely stringent on organizations. Businesses had to scramble to comply with the requirements, including many United States businesses. Data controllers have many responsibilities; these are just a few.
The GDPR requires that businesses have at least one good reason for collecting someone’s personal data. The business’s data controller must be able to demonstrate that good reason. The six reasons or “lawful bases” for collecting personal data are:
- Consent, given to the company by the individual
- Contract that is made between an organization and individual and requires personal data
- Compliance with a legal obligation (having to provide someone’s data to the government by law)
- Protection of an individual’s vital interests
- Public tasks that require personal data to be processed (an organization needs an email address to follow up with a customer regarding a specific service)
- Protection of the organization’s legitimate interest, typically for legal purposes
Data controllers must also keep detailed records of the data they collect, where they are sending it, and how they are using it. They’re required to have those records available in writing. If they are selling data to any third parties, they must document exactly who and for what purpose. Individuals (or, as the GDPR calls them, data subjects) must be able to access that information, too.
Data controllers must also make their contact information readily available to data subjects, who can then contact the data controller with questions regarding their personal data and how it is used.
The GDPR sets requirements for organizations to appoint a Data Protection Officer (DPO): this may be the responsibility of a data controller. An organization must appoint a DPO if it handles large amounts of sensitive data (such as a large medical facility or financial institution) or collects copious amounts of data regularly, including frequent monitoring or surveillance.
GDPR requirements for US companies
An important note for businesses in the United States: if US companies have EU customers, EU branches of business, EU employees, or even a presence in EU nations, GDPR regulations are indeed applicable to them as well. California’s CCPA has similar requirements. This means that the above requirements for data controllers and possibly data protection officers apply to U.S. businesses, as well as any business that has EU customers. Even a company in the United States that has a large online presence or email marketing campaign, such as a department store, is probably subject to the GDPR because it’s likely to have EU customers online.