Guidesdata protection regulationdata processing compliance

Data Controllers vs. Data Processors: Why Ad Tech and MarTech Companies Should Favour the Processor Role

data controllerdata processorGDPREU data protectionPIIregulatory finesdata securitydata protection officerdata processing agreementnon-compliancepersonal datadata breach liabilityemail marketingad retargetingmarketing automation

Control and security over customer data — especially personally identifiable information (PII) — is a persistent compliance concern for ad tech and martech companies, given the wide array of regulations in force and the stiff penalties attached to non-compliance.

Any company that touches customer data is classified as either a data processor or a data controller. On the surface, the distinction looks like a matter of semantics. In practice, the implications of being one versus the other carry serious legal and operational weight.

Key Definitions

Data Subject: A user of an application and/or a website visitor — in other words, a customer or prospect.

Data Controller: The company responsible for the adequate treatment of data. The controller determines the purposes for which, and the manner in which, personal data are (or are to be) processed. A company using a marketing automation tool or an ad retargeting platform is a typical example.

Data Processor: An intermediary between data subjects and data controllers. This category includes tool and service providers, specialized analytics consultants, and digital or media agencies that process data on behalf of a data controller.

Where Ad Tech and MarTech Companies Usually Fall

Marketing cloud vendors and providers of standalone ad tech and martech SaaS solutions that store data including PII are generally considered data processors. The reason is straightforward: they don't use the data for any purpose other than what the data controller has mandated. They provide software that the data controller operates at its own discretion.

That said, a B2B ad tech or martech company can occupy both roles simultaneously in certain scenarios. Consider an email marketing software vendor used by brands to communicate with end consumers. That vendor is a data processor because it handles end-consumer data on behalf of its brand customers. If the same vendor were to use that data to provide market research services back to those brand customers, it would cross into data controller territory for that activity.

Why the Processor Role Is Generally the Safer Position

Data can be as commercially valuable as any other business asset, and having control over it carries real revenue potential. Even so, the established view among compliance practitioners is that ad tech and martech companies are better served by holding as few data controller roles as possible — and by staying vigilant against using collected data in ways that would push them into controller territory. This guidance applies with particular force to companies located in, or serving customers in, the European Union, where recent data protection reforms have raised the stakes considerably.

There are two core reasons for this.

Fewer regulatory requirements. Data processors face a lighter regulatory burden than data controllers. The primary obligation that applies to processors is the requirement to keep personal data secure from unauthorized access, disclosure, destruction, or accidental loss.

Lower legal liability exposure. Under the EU General Data Protection Regulation (GDPR), data controllers face more severe regulatory fines than data processors for failures to keep personal data appropriately secure. Critically, if a data processor is at fault for a data breach, it is the data controller that contracted with that processor who is liable for non-compliance with data protection law — though the processor may face contractual liability to the controller under their agreement.

Processor Obligations Still Matter

Being classified as a data processor does not mean operating without accountability. Ad tech and martech companies in the processor role should have a data processing agreement ready to sign with customers, and should assign a data protection officer to ensure they meet all applicable data processor obligations — regardless of what the letter of the law requires at any given moment.

The regulatory framework, along with the definitions of data, PII, processing, and controlling, will continue to evolve. The practical takeaway is that, despite the competing interests and incentives at play, data processors and controllers share a common goal: ensuring that all customer data is kept secure and used appropriately by every party involved, at all times.

This article was originally published on AdExchanger on May 24, 2016.

<Related />