Organisations have varying degrees of responsibility when it comes to processing personal data. Depending on your involvement, you may be either a data controller, processor, joint controller or sub-processor. 

So, which category does your business fall into? In this article, we’ll cover the responsibilities of a data controller and processor, and determine which role applies to you. 

What Is a Data Controller?

A data controller is an individual or legal entity, such as a company or public authority, that makes decisions about how to process data. They have sole control and responsibility for the processing, including how personal data is collected, used, stored, altered and disclosed. 

As data controllers bear greater risk, they are subject to stricter compliance obligations. You can also be classified as a joint controller, whereby two or more controllers determine the purposes and means of processing. Essentially, joint controllers have the same or shared purpose for their processing activities. 

What Is Your Role as a Data Controller? 

Data controllers must comply with the UK GDPR for all processing activities, including any carried out by a third-party processor. 

You must: 

• Comply with the seven data protection principles as outlined in Article 5 of the UK GDPR.
• Allow data subjects (individuals) to exercise their individual rights, including the right to access (through subject access requests), erasure, rectification, objection and others. For more information, read our guidance on data subject rights. 
• Implement technical and organisational security measures to protect personal data from unauthorised or unlawful processing, accidental loss, destruction or damage. 
• Assess the measures your chosen data processor is taking to process data in compliance with the UK GDPR. 
• Enter into contracts with your data processor which outline set requirements for them to follow. 
• Notify the ICO and affected individuals of personal data breaches when required (if the violation is high risk to the individual’s rights and freedoms).
• Fulfil your accountability obligations, such as completing data protection impact assessments (DPIAs) and appointing a data protection officer (DPO). (You may not require the latter – find out if you need a DPO in our blog.) 
• Work alongside supervisory bodies to allow them to carry out their responsibilities.
• Comply with the UK GDPR’s restrictions on personal data transfers outside the UK.
• Pay your data protection fee, unless you are exempt. 

What Is a Data Processor? 

A data processor is an individual (external to the controller’s workforce) or legal body that processes personal data on the controller’s behalf. 

For example, an employer (the data controller) provides an employee’s salary and personal details to a payroll accountant. The accountant (processor) processes this data to generate payslips, acting on the employer’s instructions without deciding what data is collected or how it’s used. 

As such, a processor cannot act in their own interests. They can, however, subcontract some or all of the processing to another processor. Doing this makes you a sub-processor. 

What Is Your Role as a Data Processor? 

While data processors may have fewer responsibilities, they still must: 

• Follow the data controller’s instructions about processing personal data (unless required by law).
• Enter into a binding contract with the controller and follow the obligations it sets. 
• Obtain consent from the data controller if you want to outsource the processing to another processor. 
• Enter into a contract with the sub-processor (if applicable), which outlines terms and conditions similar to those in the contract between you and the controller.
• Implement relevant technical and organisational measures to maintain the security of personal data. 
• Notify the data controller of data breaches as soon as possible. You will also assist the controller with its responsibilities around data breaches.
• Alert the controller if any of their instructions would cause a breach. 
• Comply with certain accountability obligations, such as maintaining records and designating a DPO. 
• Gain authorisation from the controller when transferring data outside the UK. (International transfers must also comply with the UK GDPR’s rules.) 
• Cooperate with supervisory bodies. 

Why Knowing Your Role Is Essential

The GDPR obligations for a data controller and a data processor may overlap, but their roles are distinct. Data controllers hold more responsibility than a processor, as they have total control over the processing activities. This doesn’t mean, however, that processors can be negligent of their obligations. Both parties are just as accountable for their own compliance.  

If you’re a controller, you must ensure your processing activities uphold the UK GDPR; otherwise, you’re liable for non-compliance. Your responsibility also extends to your processors’ compliance. This means you’re obligated to assess and contractually bind any third parties on your behalf. Should a data breach occur on the processor’s behalf, you will also be held liable, unless you can prove otherwise. 

By knowing your part, you (the controller or processor) will be able to carry out everything expected of your role. This avoids any unnecessary fines, penalties and security risks that come from non-compliance. 

The data processor vs controller distinction isn’t clear-cut for every company, so it’s wise to speak to a GDPR consultancy before taking any other actions. 

Get Expert GDPR Support with Data Protection People

Confused about your responsibilities under the UK GDPR? We’ll help you understand your role, including the steps needed to achieve and maintain compliance. 

We offer flexible GDPR support, ranging from ad-hoc SARs support to fully outsourced DPO services. Want to find out how we can help? Speak to our team today, and we’ll be in touch.