5
Clarify roles and responsibilities
All organizations that gather or handle EU citizens' data are subject
to GDPR. While your organization is responsible for abiding by these
GDPR mandates, you need to ensure that so are all your partners that
have access to your data.
Data controllers
Any organization that decides which PD to collect, for which purpose
and how to process it, such as a company that collects cardholder
information or video footage. Responsibilities include:
• Vetting channel partners and vendors you work with
• Controlling what data your partners have access to
• Evaluating how they intend to manage, store, and secure data
• Ensuring partners are abiding by best practices and honoring their commitments
Data processors
Any organization that processes PD on behalf of data controllers,
such as cloud service providers or companies that host security
systems. Responsibilities include:
• Being accountable for technology deliverables and other commitments
• Remaining transparent about PD handling and protection
• Assuming responsibility for any of their own actions (including that of their
respective suppliers) that may impact your organization
