Skip to content

What Do I Need to Do If My Business is Both a Data Controller and Processor?

Table of Contents

If your business acts as both a data controller and a processor, you must understand and comply with various responsibilities under UK data protection law. Handling these distinct roles involves a range of obligations that you must not neglect, failing which you could face significant penalties. This article explores key data protection law considerations if your business is a controller and a processor. 

What is the Distinction Between a Data Controller and a Data Processor?

UK data protection law is governed by the UK GDPR and the Data Protection Act 2018, which set out several principles and rules regarding how a business can process personal data. These laws are intended to protect individuals’ rights.

The law distinguishes between two key roles: 

A Data Controller

As a data controller, your business determines the purposes and means of processing personal data. 

You are primarily responsible for ensuring data processing complies with the UK GDPR. 

This means you must take a range of measures to protect personal data. This means you should manage data subject rights, and maintain transparency by providing privacy information to individuals. You will also likely need to register with the UK ICO and pay the data protection fee. Your business should also determine the lawful basis for processing personal data, and keep records of processing activities. 

A Data Processor

As a data processor, you handle personal data on behalf of the controller. 

You must follow the controller’s instructions and implement appropriate technical and organisational measures to ensure data security and compliance. Your role includes assisting the controller in fulfilling data subject rights and notifying the controller of any breaches without delay. You must follow the rules the controller sets but also have a range of responsibilities that are in your own right. 

Other obligations typically include that you must:

  • process personal data only according to the controller’s instructions, respecting the controller’s decisions about data use; 
  • protect the personal data you process with strong technical and organisational measures, including data encryption and regular security checks; and
  • document your processing activities to provide transparency and accountability, unless certain exceptions apply. 

Each role presents different types of obligations. Some responsibilities are unique, whereas others will overlap. For instance, certain controllers or processors businesses will need a Data Protection Officer.  This can be difficult for a business to navigate and manage. 

Can You Be Both a Controller and Processor?

Yes, you can. The ICO’s guidance confirms this; however, it notes that you cannot be a controller and a processor for the same processing activity. You may process the same personal data in different capacities if the purposes differ. For instance, you might process personal data as a processor on behalf of a controller while also processing it separately for your own purposes.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The ICO notes that as a dual-role entity, you must ensure your systems clearly distinguish between data processed as a controller and data processed as a processor. This distinction allows for applying appropriate processes and measures for each role. 

Example

Let us explore a practical example of where a business could be both a controller and a processor:

If your business is a service supplier, you may have a dual role as a data controller and data processor. 

For example, you will likely collect and control data related to your staff, such as employment details, performance records, and personal information. As such, you will act as a data controller since you control the processing of this information and decide how such information is used. 

At the same time, you act as a service supplier for clients, holding and processing their data on their behalf, following their instructions. In this scenario, you can only use client data to deliver your services for limited purposes – as you are likely a processor. 

In this scenario, you must navigate the complexities of the UK GDPR, ensuring compliance in both roles. As a data controller, you determine how to process your staff’s data. You need to implement the necessary measures to protect this data and manage data subject rights. 

As a data processor, you must strictly follow your clients’ instructions regarding their data, ensure robust security measures, and assist in fulfilling data subject requests.

This dual role presents a range of challenges, which needs careful planning to meet the requirements of the UK GDPR and maintain trust with your staff and clients. 

You should note that there are also circumstances in which parties can be joint controllers, which can be an additional consideration for businesses which gives rise to various other compliance obligations and challenges. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Can You Navigate the Roles of Data Controller and Processor?

Balancing the roles of the data controller and the processor can be complex. You must understand and comply with your obligations under each respective role. 

This can be complicated, but you can seek legal advice from a data protection lawyer to help you effectively manage these responsibilities. 

A data protection lawyer can assist you in understanding your obligations and putting in place any required policies and procedures to ensure that you comply with legal rules as both a controller and processor.

Key Takeaways

Understanding your role and obligations as a data controller and processor is vital and mandatory. Compliance with the UK GDPR requires careful planning and understanding of the obligations that apply to controllers and processors. When acting as both a controller and processor, your business will likely have a range of responsibilities with which you must prioritise and comply. If you are unsure about your obligations, you should seek legal advice from a data protection lawyer. 

If you need advice on managing your responsibilities as a data controller and processor, LegalVision’s experienced Data, Privacy and IT lawyers can assist you. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.

Frequently Asked Questions

1. What is the UK GDPR?

The UK GDPR sets out the principles, rights, and obligations for handling personal data to protect individuals’ privacy and ensure that organisations process data lawfully, fairly, and transparently.

2. What is the Distinction Between a Data Controller and a Data Processor?

A data controller determines the purposes and means of processing personal data. In contrast,  a data processor processes personal data on behalf of the controller. Controllers are primarily responsible for ensuring compliance with data protection laws, but processors also have obligations in their own right under data protection law. 

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards