No analysis of the impact of GDPR can ignore the key terms the Directive introduces: controllers and processors. Into which category you fall will define your obligations under GDPR.
In essence, the controller has the responsibility over the individuals’ data and gives instructions to the processor on how to use that data.
So the division of duties seems clear. Until you consider that GDPR holds controllers responsible for the proper or improper handling of personal information, even if they outsource the processing of the data.
In a further twist, if the processor exceeds the bounds of its instructions from the controller, it becomes the controller and assumes the key responsibilities.
Let’s map that slightly complex situation to the investment management industry. First funds. The issue is fairly clear-cut, with the personal data of investors remaining the responsibility of the fund entity. The fund is the controller.
If a company outsources the computation of salaries, the company is the data controller and the outsourcing company is the processor for such purpose only.
So far, so good. But what about Mancos? They might argue they have no role given their distance from the day-to-day operations of the funds.“The issue for them arises if something goes wrong with the investors’ data,” said Vonner.
With this in mind they should probably be considered co-controllers - jointly responsible for controlling data alongside the fund entities.
Next up, transfer agents. “Transfer agents must wear the two hats of a processor and a controller,” says Vonner. They perform processing for funds, but they are controllers in that they must do know-your-customer checks for their own business and manage their employee data.
They should keep a register of all their data processing to see if they stray into the area of controller for the funds they service.
They are also responsible for the processing chain and, in particular, making sure that sub-processors comply with the data protection rules.