GDPR: Data Subjects, Controllers and Processors, Oh My!

GDPR: Data Subjects, Controllers and Processors, Oh My!

Welcome to Part 3 of our series discussing the General Data Protection Regulation (GDPR). With this post, we’re going to dig into some key concepts in the legislation.

(If you’re asking yourself, “What is this GDPR thing?” It’s a major piece of legislation coming out of the European Union (EU) which regulates the processing of personal data and it could significantly impact your business regardless of where your organization is based. The GDPR will become enforceable on May 25, 2018. For more information, check out Part 1 and Part 2 of our blog post series on GDPR and the session from SIGNAL London, “GDPR and Beyond: Data Protection at Twilio.”)

Before we get started, I want to give you fair warning—this post is going to get into some legal-ish stuff. But, bear with me here. These concepts are an important foundation for understanding your and Twilio’s obligations with regard to processing personal data in compliance with GDPR.  

Let’s dig in…

• • Who are Data Subjects?
  • Who are Data Controllers?
  • Who are Data Processors?
  • Can you be a Data Processors and Controller at the same time?

Data subjects—those for whom GDPR was written to protect

GDPR is a law designed to ensure adequate protection of the privacy rights of data subjects. So, who (or what) is a data subject?  

GDPR defines “data subjects” as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

Your obligations with regard to data subjects and their personal data depend on whether you’re considered a controller or a processor under GDPR. Though the concepts of controllers and processors also existed under the Data Protection Directive, the precursor to GDPR, I’m going to venture that many are just now digging into these concepts. So, let’s review.

Data controllers—those that make the decisions about personal data processing

The GDPR definition of a controller is “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Basically, if your business processes personal data of data subjects for your own business purposes and needs—not just as a service provider acting on behalf of another business—then you’re likely a controller.  

One way that’s helpful to think about whether you are a controller of certain personal data is to ask, “What if my customer told me to delete that personal data—how would that impact my business?” If it could impact (even minimally) a business process or operation that is not strictly and solely at the instruction of your customer, then you are likely a controller of that personal data.

For example, Twilio is a controller of communications metadata, such as the metadata of phone calls or text messages transmitted or received via our products and services.  These records may constitute personal data because they contain data subjects’ phone numbers, for example. Sure, we process this information on behalf of you, our customers, to transmit communications per your API requests, and we store these records after the communications are transmitted in part so that you can have a record of your communication transactions on Twilio. But, we also need this data for our own business operations, like billing, routing, tax, and audit purposes.

We colloquially refer to this data at Twilio as “outside the envelope.” If you think of an electronic communication as being kind of like a letter sent through the mail, the metadata is sort of like the stuff you write on the outside of the envelope. And just like the postal service needs to read that information and use it to operate its business, we need to read and use the metadata for an electronic communication to operate our business.

Data processors—those to whom controllers have outsourced processing activities

Those entities that process personal data on behalf of data controllers, and as directed by data controllers, are considered data processors. Basically, when the controller outsources the actual data processing function to another entity, that other entity is a processor.  

Twilio is a processor of your communications content, like message bodies or voice or video media. We don’t do anything with that content unless you, the customer, tell us to.  So, if you want to delete it, we’ll delete it. It doesn’t impact our ability to run our business. We refer to this data, colloquially, as “inside the envelope.” Just like the postal service doesn’t need to know what you wrote in your letter to Aunt Tilly in order to run its business, we don’t need to know what your support agent said to your customer over your application built on our Programmable Voice service to operate our business.

Note, if your processing of personal data involves more than just merely following the instructions of your customer, then you’re acting as a controller of that data, not a processor. For example, if you run analytics on your customers’ personal data (rather than on, for example, their aggregated anonymized data) for your own business analytics, then you’re acting as a controller, not just a processor.

Can you be a processor of some data and a controller of other data at the same time?

Yes. Many companies that are data processors of some personal data also are data controllers of other personal data. The concept of whether you are a controller or processor is based on your processing actions as to a particular type of personal data, not to your company as a whole. For example, your business could be a processor of your customers’ data, but a data controller when it comes to your own employees’ data.

Generally, businesses are going to be data controllers of their own employees’ personal data, used for human resources operations, as well as their own customer relationship data that they use for customer relationship management and support functions. It is harder to generalize about when businesses function as a data processor. Some organizations that process personal data may only be controllers and never act as data processors.

Well, that was a lot to digest! But the reason why these concepts matter is that your obligations under GDPR depend on whether you are acting as a controller or a processor in connection with data subjects’ personal data. So, once you’ve mapped out what personal data you process, you should spend some time determining whether you are acting as a controller or processor with regard to each category of personal data.

The countdown has begun – let’s get it done! Onward!

DISCLAIMER: The above information is Twilio’s interpretation of GDPR requirements as of the date of publication. Please note that not all interpretations or requirements of the GDPR are well-settled and its application is fact and context specific. This information should not be relied upon as legal advice or to determine how the GDPR applies to your business or organization. We encourage you to seek the guidance of your legal counsel with regard to how the GDPR applies specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. You may copy and use this posting for your internal, reference purposes only.