I pronounce you Data Controller and Data Processor

A month has already passed since the day the new regulation on data privacy came into force.

After a pre-GDPR panic and what-should-I-do-now!? nightmares, the situation should be eased and clear to all by now.

Or maybe not…


A report published by Deloitte shows interesting statistics revealing the GDPR readiness status across Europe. Not too far back in 2018 there were still a lot of companies unsure about how the GDPR would have impacted their business activities, what within them and, only 15% of them were ready to be compliant before May 25th.

One thing, rather shocking, is also the fact that most of the companies, just a couple of months before the GDPR came into force, were not even aware of its existence!

Considering these circumstances, I wouldn’t doubt for a second that there is quite a lot of uncertainty out there. Especially, I would say, when it comes to understand specific roles and responsibilities.

The GDPR highlights the differences between Data Controller and Data Processor, outlining the distinct obligations and roles that the two parties have. Nevertheless, the interpretation of the regulation and lack of guidance have been raised as major issues, specifically for Article 29 Working Party of the regulation. On top of this, when it comes to business relations the situation is quite complex; in most of data-related activities, it is not always easy to determine whether a company is a Controller or Processor.

Think about this:

A university wants to collect information about its student with the purpose of elaborating estimates about the university population: percentage of international students, average age and performance.

It hires a survey service provider for data-processing the data to deliver results to the university.

At the same time the survey service provider makes use of these data to target a specific segment of students for its marketing purposes.

So, who’s the Data Processor and who is the Data Controller here?

We know that many companies don’t know yet what they are responsible for and are struggling to keep performing their activities as they fear not complying with the new regulation, and for these reasons, we would advise you to read this article which aims to clarify some key points.


Why is it important?

Before trying to understand the differences, the first step to take is to clarify why making a distinction between the Data Controller and the Data Processor is important.

Data processing activities are particularly sensitive, as they involve personal data and concern real people. For this reason, it is quite crucial to avoid any gap in organizations’ responsibilities. That is, avoid that data subjects’ requests get disregarded because roles and responsibilities are not defined between data controllers and data processors.

Furthermore, in the instance of a data breach, it is essential that the parties involved have a clear agreement on where responsibilities lay. As this will allow to simplify the process of determining who is liable for what. This division of responsibilities should be agreed on at the very early stage of the relationship between data controller and data processors, to guarantee a smooth progression of business activities.

Definitions, Roles & Responsibilities

Article 4 (par. 7 – 8) of the regulation provides the definitions of Controller and Processor, clearly highlighting the substantial difference between the two:

  • controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The Data Controller is the one who chooses what the data is used for and how to process it.  Whereas, the Data Processor is the one that follows the instruction of the Data Controller and elaborate systems to implement data processing.

Further exemplifications of the roles of these two parties can be found in Article 24 and Article 28 of the new regulation. More details are given regarding, respectively, the obligations of the Data Controller, and the guidelines of actions and obligations towards the Controller for the Data Processor. They are both summarized here below.


Obligations of Data Controller

The Controller is subject to two principles: Data Protection by Design and Data Protection by Default.

The first stating that at the time of determining the purpose of data processing (data planning) and at the time of data processing (execution time) Controllers are advised to implement processes and take specific security measures in order to carry out data-related activities in compliance with the GDPR. This implies that the Controller is responsible for:

  • Assessing risk for people’s rights and freedoms;
  • Implementing proper security measures to guarantee data protection;
  • Elaborating and adhering to codes of conduct.

The second principle, Data Protection by Default, points out the fact that Controllers should only process personal data serving a specific purpose, should collect data only if necessary and store them for a determined duration. This means, the Controller is responsible for:

  • What data to collect;
  • Where to store data, for how long and when to dispose;
  • How to use data and for which purposes.

A further obligation of Data Controller is to ensure that the party chosen to be their Data Processor can guarantee and demonstrate its compliance with the GDPR.


Obligations of Data Processor

The data processor is mainly responsible for complying with instructions dictated by the data controller. It has no decisional power on what data to process, how to process it nor for which purpose. However, it has the key obligation to ensure and to help the data controller to perform its activities in compliance with GDPR. It is, therefore, mainly responsible for:

  • Operating only under the instruction of the Data Controller – this also affects the use of other Processors, which need to be approved by the Controller;
  • Implementing the right IT system to allow the Data Controller to collect data and fulfill its purposes;
  • Implementing and assisting Data Controller to implement proper security measures to guarantee data protection – this includes ensuring confidentiality by those individuals who access data from the processor’s side.
  • Assisting the controller in responding to any requests concerning the exercise of data-subject’s rights.
  • Assisting the controller to be compliant with the GDPR.
  • Being able to delete any personal data if required by controller.
  • Adhering to codes of conduct outlined by the controller.


Joint Controllers

The regulation also recognizes the eventuality in which two companies perform as data controllers of the same data, a.k.a. Joint Controllers (Articles 26).

This occurs when more than one party is involved in determining the purpose and means of data processing. It is required for the joint controllers to fulfill the followings.

  • They should be able to determine their respective responsibilities, compliance and obligations towards individual’s rights; this all in a clear, unambiguous and transparent manner.
  • The responsibilities of each controller are determined by the EU/member state laws to which the controllers are subjects.
  • Data subjects need to be made aware of the responsibilities and duties that each controller has according to the arrangements made among controllers. This way, data subjects will know which of the controller to reach out to for complaints and/or requests.

However, it is important to outline that the distribution of responsibilities does not release a company from the responsibilities it has towards data subject, as the regulation clearly states that any data controller is liable for any damage occurred during processing activities, unless proven that it is no way responsible. (Article 82)

In conclusion, what you need to remember is that if you are deciding for what purposes and the means through which the data is collected, processed and stored, you are the data controller. If you need instructions before performing any data processing activity, you are the data processor. However, the lower the level of supervision provided by Data Controller on Data Processor, the higher the likelihood of Data Processor becoming co-controller of data.

Hoping that this brief article helped you to identify the key differences between the two roles, if there is anything in this article that you believe requires rectification, please do not hesitate to get in contact.

However, I find extremely important to stress on the fact that this is not an official document from EU. Therefore, we strongly advise you to get in contact with your legal advisor before making any action.


To make it clearer I gathered some examples, which address various circumstances and should help you to further understand your role and responsibilities in the GDPR context. Check out here


S2M can help you build your GDPR-compliant lead list!  Click here to find out more.


Startup Loans – Are you a Controller or a Processor?



Getting the right attention on social media | S2M-group Blog

We all count the likes. It would be unnatural not to.

It’s how we learn. Put something out there and feel the reaction. Intensive learning, and the stakes only get higher with practice. Apply marketing to that and your strategy starts to reflect human valuations of success. It’s not about the sales anymore. It’s about how people react. It feels good. Create, publish, observe, refine. Vanity Metrics put a gauge on performance, always with the suggestion that you could be doing a bit better. A healthy strategy, done in the name of a good end. The question is: is this the measure of success that we want?

Few contrarians these days will take the stance of “social media won’t help your business”. That’s a hard story to get behind. Convenience gives you opportunity. Opportunity allows money to be made. This is the hunch upon which every year more and more money is poured into Marketing budgets, often with very little analysis of return. The reason that the counternarrative doesn’t get a fair hearing is that at some point we conceded that it was enough that everybody else was doing it. There must be some reason why 88% of B2Bs are using Facebook. You count the likes and start again, and that’s enough.

As it stands, there isn’t an awful lot of insight beyond that. Any hard data on whether or not Facebook makes you money is buried under the pile of ‘how to’ lists and clickbait correlations posing as if the answer is a matter of common-sense deductive reasoning. There’s the assumption of an intrinstic worth to online performance blows any hope of clear thinking out of the water. It’s no longer a question of how it helps you, but how it looks.

I’m not saying that these platforms don’t help, either. It’s that they’re focusing in on the wrong things. Social media provides great exposure for unknown brands – but is exposure enough? The research would have you believe that as long as the thumb of the crowd falls the right way, your performance in the arena has been good. Why? The modern business isn’t condemned to bankruptcy for an underperforming Tweet. That happens when you’re not making enough money. The point I’m making is that if the value of social media is tied to numbers (and not making money), 10 good leads is much less desirable than 100 easy likes.

What’s followed is a system of research that doesn’t bother to assess how good social media is for ROI. Many of the surveys and reports available freely online ask participants what they think of their current operations, and use that to justify the claim that it works. How do you think your marketers are doing? Do you have plans to spend more? Well that should be enough to go on. This mentality isn’t the fault of the lazy researchers; this happens because social media is inherently difficult to use as a gauge of success. In the same way that I can’t derive that I am popular with my colleagues if 63% of them like my profile picture, it’s hard to draw solid conclusions for business when stuck with baseless numbers and opinion polls.

The above Forbes source attempts to overcome this by making a leap at some kind of reason. People prefer things that cost more money. Ads cost more money. Therefore, people will prefer your channels if you pay for ads. Among all the nonsense does exist a gesture towards rational inference and proper investigation. The problem is, it’s meaningless. If you measure online effectiveness by asking people how they feel, you’ll find that most shrug a neutral ‘fine’ because that’s what people do anyway. We’re bound by our research methods, but also by the kinds of questions we ask. Either we accept that that 63% doesn’t mean anything, or we double down and do a better inquiry into how we’ve got here.

I’m saying that you can use the likes as suggestion a success if you can prove that they mean something. It’s a problem when you stop asking questions once the numbers start rolling in. The majority of marketers consider a Facebook like a marketing success, whereas only 35% hone in on actual qualified leads. Here’s your problem. How do you trust that social media will have instrumental value to your business when it’s value is presumed inherent?

But as long as we place our faith in the likes, it will keep happening. Reportedly, social media spending has increased 234% in the last 8 years, bringing it up to between 11.7 and 15% of total marketing budgets, depending on who you ask. 15% of your marketing budget to count the likes. 15% to feel good. Having justified that budget in a survey, 77% will then turn around and say they want to learn how to measure the effectiveness of social media. 58% of B2C content creators will say that they are still looking for a better understanding of what SM content works, and what doesn’t.

The reason we all still play the social media game is that it lets us feel like we’re winning sometimes. All good games need that. You always pass Go just after landing on Mayfair. It’s the numbers that quantify and validate us. And so, you end up with 1,000 connections on LinkedIn looking for endorsements with absolutely no intention to ever purchase your product. It happens. Look at the weight we give to exposure. Social media puts you in front of more people, finds new study. It’s a perversion of value.

What I’m moving towards is a rethink of the use we ascribe to social media. Having access to the private pages of your target market allows for analysis, which can then be acted upon. 85% of US consumers are on social media. This is your in. A space in the public sphere also allows you to choose how you present yourself to visitors. Put something out and measure the reaction. Create, publish, observe, refine. Knowing that (B2B research) 24% of people would look you up on Facebook before making a decision on a purchase is useful information. If you really can identify causation between social media and improved search rankings – great. But one should be careful interpreting what people mean when they say, “Social media is the most effective channel for any business”. Well, what do you mean ‘effective’? And according to whom?

There is research out there to suggest that social media creates living, breathing customers, but you do need to be careful. The bulk of research falls inline to say that social media just works, and if you’re not getting results then that’s your problem. Some neutral research claim like “consumers follow brands on half as many platforms as they expect them to be active on” gets twisted into “most brands don’t do a good job on social” elsewhere. Likewise, ‘52% of referrals are ruled out before anyone speaks with someone in that organisation, and by the way social media might help becomes “52% rule out a services firm before talking to them due to limited social media presence” on another site.

This isn’t the start of some great conspiracy that you, the reader, are unknowingly being conned out of your 15% by a mischievous marketing team, or crafty journalists. On the contrary, I agree that social media can be useful. But I think it’s high time we understand what we want from it. What do we mean when we ask, ‘is this working?’

As with offline marketing, the key is to close that gap between prospects and leads, likes and engagement rates. Identify causation where you can, and find tips that give targeted advice.

I think that’s it. By all means, count the likes. Ask other people what works for them. But don’t make this the basis of your faith.

Know what you can expect from social media before using it. Used well, it’s a great window into the complicated lives of existing and potential consumers. Used poorly, it’s as much a distraction at work as it is at home.


To start incorporating market analytics into your social media strategy, check out our free TMA trial here.

Making the Right Connections with ABM

“Personally I am very fond of strawberries and cream, but I have found that for some strange reason, fish prefer worms. So when I went fishing, I didn’t think about what I wanted. I thought about what they wanted. I didn’t bait the hook with strawberries and cream. Rather, I dangled a worm or grasshopper in front of the fish and said: “Wouldn’t you like to have that?” Why not use the same common sense when fishing for people?”

– Dale Carnegie, How to Win Friends and Influence People

Who buys into YouTube advertising? I wonder what I am to a marketer, a creator, in line with their business strategy. Is my click a decisive lead? It makes you think: who really benefits from producing these? YouTube, of course. The channel owner. A designer, I suppose. The marketing department. But, beyond that, I get the sense that my interests aren’t being properly considered from the point of view of somebody trying to build a brand. There’s something sad and disengaged about a campaign that pans most broadly for any customer that might yield an accidental click. The problem, I say, is that the viewer can afford to just be another number. And so, rather than seeing a individual who needs care and attention, a strategy is drawn up to smother a sea of potential in bland, popularist content.

At the heart of this issue is a disconnect between Marketing and Sales. If your marketing strategy ends at getting your voice heard, then why should it bother working overtime to push those leads towards a sale? Why invest time and money into mapping the problems of a single potential client? The problem with this line of thinking is that you’re not targeting anybody directly. Being heard is different to getting people to listen, and, if you want to make sales, you need to be able to do both.

So, here’s the pitch: line-up with the objectives of sales, and hone in on the audience that will make everybody rich.

Today, 50% of marketers identify that Lead Generation’s biggest challenge is in improving conversion rates from the lead to the sale. Revenue generation is now the key indicator of a successful marketing campaign according to a majority 57% of marketing influencers. The marketer isn’t around simply to tell fish which worms are on offer; they have a duty to understand their client, and to pass on the relevant information that will make a sale.

In short, I’m suggesting a merger of departments around a clear set of account-orientated objectives. It’s simple ABM strategy. Staying on top of the game involves making sure everyone knows what it is that your fish look for in a worm before you start thinking about where to cast a line.

This starts when you narrow down your addressable market to targets you know you can help. Simple value-based selling should give you a rough idea of your worth, and in turn provide a clearer Ideal Customer Profile. Beyond this, it’s about understanding the conflicting and competing interests within the account you’re targeting. Keep everybody up-to-date with new information about KDMs. Know who you’re talking to, and appreciate that one hundred different heavyweights each have one hundred different opinions that you need to go deeper into. Align your teams around a single database of relevant information. Identify clear end-of-the-line objectives and know how everybody contributes towards those. ABM might be understood through two simple principles: understanding that your client is messy, disjointed and complex, and understanding that you can’t afford to be.

If you want your marketing team to stay relevant and sharp, it’s time to align.

The process from start to finish is meant to be quick and harmonised, with minimal overlap and all the relevant information going where it’s needed. You begin a campaign by looking to assess the values and needs of individuals making up a target market. Knowing how your challenges line up with your resources allows you to plan a little further ahead into the future. In the end, a decent system should be simple and utilitarian, working on preparing the best tools available for problems as they arise. Breaking yourself up into distinct departments is a way to ensure that you don’t create lasting relationships with your customers. The idea is to make everybody aware of the destination before you all start paddling in different directions. It may sound obvious, but the mentality is more sophisticated than firing out a new advert every sixth months in the hope that somebody new might take the chance.

Recent research by ITSMA and the ABM Leadership Alliance showed 87% of marketers favoured ABM over other initiatives for Return on Investment. Bad sales & marketing alignment, meanwhile, is estimated to cost B2Bs 10% of their yearly revenue. This shift in practice is seemingly here to stay. As of 2016, over 70% (of over 200 companies) of B2Bs use ABM programs, sales-marketing alignment increasing from 34% to 83% from the year before, and nearly 60% looking to invest in technology services last year.

As university undergraduates pass every year with studies in ABM strategy, the spray-and-pray YouTube-ad lead-gen-focused approach starts to make less and less sense. The marketers of tomorrow are growing up with a commitment to getting results through a simple process of align, win, refine. Take a leaf out of their book. Don’t lose sight of your goals out of obligation to convention.

If you’d like to know more about how to use ABM to generate the right leads, send an email to


Demonstrate the Business Case & Ensure Value Alignment

The value-based qualification process aims to identify the gap between your Value Propositions and your targets’ pains. In other words, if their existing or future goals, plans and related challenges look like the ones you or your competitors faced and solved efficiently with existing clients, either they’re a good fit and you can move forward with the relationship, or it’s time to part ways.

Unlike IBM’s old BANT approach which qualified targets by their Budget, Authority, Needs and Timeline, our qualification process applies value-selling principals to add value to the target’s decision-making process. It does this by gauging and validating first whether their pains could match and benefit from your products/services’ value propositions.

Once we have determined whether your products/services can help your target to achieve their goals, implement their plan or overcome their challenges, we can start assessing their decision process and where the funding would come from.

Such a qualification process is designed to allow organizations to generate or increase their revenue on a specific market or account, by enabling the exploitation of their product/market fit.  This facilitates new business development, cross-sell and up-sell activities, whilst providing a decision-making and team alignment tool.