Being in direct contact with the GDPR process and discussing it with clients for a SaaS company, identified an important confusion or lack of information clients do regarding the roles and responsibilities in the process.
In this short post i will try to clarify the the responsibilities of both major roles.
GDPR mentions 2 major profiles:
- The Data Owner/Controller
- The Data Processor
You as client are called the “Data Owner/Controller”
The SaaS client uses an external supplier as technology partner, meaning everything stored in their systems is YOUR DATA, making you the Data Owner/Controller
Your supplier is the Data Processor
The supplier is the Data Processor that will operate under your direct instructions, therefore every action done by the Data Processor MUST be under direct instruction from the Data Owner.
Summarizing, the Data Owner (the client) is the responsible for all data and must ensure that the supplier (Data processor) provides every functionality and/or requirement for the client to comply with GDPR.
Image credits: https://www.flickr.com/photos/dcmetroblogger/40658977812