Data Protection Ecosystem

The Data Subject is central to the Data Protection Ecosystem as they are the source of data and the subject of protection. As per the Data Protection Bill, 2019, the Data Subject is an identified or identifiable natural person who is the subject of personal data. It is noteworthy that the GDPR gives a more elaborate definition of a Data subject by defining who ‘an identifiable natural person is’ which is;  one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Data Controller is defined as a natural or legal person, public authority or agency which alone or jointly with others determines the purpose and means of processing personal data. The Data Controller will be the party at whose behest personal data is collected.

The Data Processor is defined as a legal or natural person who processes data on behalf of the Data Controller.  This is usually where the Data Controller contracts a third party to process the data on its behalf.

In some instances where the Data Controller may also be the Data Processor where it collects data and processes the data internally.

A Data Controller is therefore anyone (natural or legal person) that collects the data of its customers, clients, employees, consumers of its services etc. Examples of Data Controllers include mobile network providers, fast food outlets, supermarkets, law firms, engineering firms, accounting firms and all other entities that you can think of that at any point request for personal data.

Under the Data Protection Bill, 2019, a Data Controller and Processor is required to appoint a Data Protection Officer who acts as the point person between the entity and the office of the Data Protection Commissioner as well as overseeing implementation of data protection policies internally.

The Data Protection Authority under the Bill is the Office of the Data Protection Commissioner. The key functions of this office are enforcement and implementation of the provisions of the Act as well as regulation of Data Controllers and Processors.