Our role as a data controller and what it means for you
In February we wrote about our commitment to the upcoming General Data Protection Regulation (GDPR).
Under GDPR, businesses must operate as either a data processor or a data controller. In this blog, we explain GoCardless’ status as a data controller - and what that means for our customers.
As part of our preparation for GDPR, we have looked carefully at how we process data relating to customers who pay companies through GoCardless (‘end customers’).
From that analysis and taking into account UK and EU-wide regulator guidance, industry practice and legal advice, we've determined that we act as a data controller in respect of end customers (like many others in the payments space, including Square, PayPal and Visa members).
Ultimately, being a data controller means we have an even greater responsibility to protect your customers’ data - and we are directly liable to data protection authorities in relation to all obligations under the GDPR.
Data controller vs data processor
Under GDPR, businesses must comply as either data processor or data controller, in relation to specific data.
Data processors process personal data on behalf of the controller, but they don’t decide the purpose (the ‘why’) or the means (the ‘how’).
Data controllers determine the purpose of the processing and the means to achieve that purpose. Essentially they decide why and how the processing should take place.