Skip to content
LegalVision UK

What is a Data Controller?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

The UK General Data Protection Regulation (UK GDPR) is the key law governing the use of personal data in the UK. Whether an organisation is a ‘data controller’ or a ‘data processor’ will determine its obligations under the UK GDPR. This article will explain what a data controller is and its key obligations under the UK GDPR. 

What is a Data Controller?

Under the UK GDPR, a data controller is a person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of processing personal data.

Thus, a data controller decides what to do with personal data. For example, a data controller may be an organisation that chooses to use the personal data of individual customers for marketing purposes. A data controller may also decide how to use its staff’s data to manage its employment relationships. 

In contrast, a data processor simply acts on the instructions of the data controller and does not have control over personal data. 

How to Decide if You Are a Data Controller

In practice, it can be hard to distinguish whether an organisation acts as a data controller or a data processor. It is something parties can often argue about and an issue that often crops up in negotiations of contracts involving the processing of personal data. 

To determine if you are a data controller, ask yourself the following key questions:

  • Do you have full control over all the personal data you use in your organisation?
  • Do you make decisions about your data processing activities?
  • Are you ultimately in charge of and responsible for the personal data you are processing (including how long you keep it and when it is deleted)?

If the answers are all yes, you are highly likely to be acting as a data controller. 

Sometimes, however, it can be challenging to gauge whether you are a data controller or processor. If in doubt, seek legal advice, as understanding your position and consequent obligations is critical for GDPR compliance

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Does It Mean if You Are a Data Controller?

Compliance with UK GDPR is mandatory for any business using personal data. The law applies to virtually all businesses, as most businesses collect and use some form of personal data. For example, most businesses collect personal information about customers, suppliers and staff.

Data controllers have several obligations under the UK GDPR. Data controllers are responsible for compliance and must be able to demonstrate their compliance. UK GDPR compliance is not a one-size-fits-all approach. What your organisation needs to do to comply with the UK GDPR depends on how it uses personal data.

Key Obligations for Data Controllers

As a data controller, you have several obligations. For example, you must carry out an information audit or mapping exercise to document: 

  • what personal data your organisation holds;
  • where the data came from; and 
  • who you share the data with. 

In addition, data controllers must pay the UK Information Commissioner’s Office an annual data protection fee. Note that some businesses may be exempt from this requirement.

Most data controllers need to record their data processing activities. Typically, data controllers will maintain a record of processing activities. This sets out all of the personal data they process and why. Furthermore, data controllers should provide privacy information to all individuals whose personal data they process. Data controllers commonly provide privacy policies or notices to individuals, such as customers and staff. 

As a data controller, be weary of and carefully consider any third parties with whom you share personal information. For example, this may include IT suppliers with access to staff databases or CRM systems. The UK GDPR sets out strict requirements for data sharing. This includes the need for data controllers to have contracts with third-party processors. These contracts will consist of various mandatory terms. 

Data controllers must follow strict legal rules when transferring personal data to countries outside the UK.

Staff training on data protection laws is crucial for data controllers. Staff should also be issued with: 

  • data protection law guidance; and 
  • a Data Protection Policy document setting out rules around how to process personal data.

Data controllers must comply with various internal procedures and documents. These will often factor into your business’s GDPR compliance. For example, your systems and policies should address how to deal with: 

  • data subjects’ rights; 
  • requests; and 
  • personal data breaches.

Data security is very important for data controllers. They must implement ‘appropriate technical and organisational security measures’ to ensure the security of personal data. 

Note that these are only some of the obligations for data controllers under the UK GDPR. The UK GDPR sets out various other legal rules to follow. If you are a data controller, you must take time to understand the UK GDPR requirements and how they apply to your organisation.

Key Takeaways

If the UK GDPR applies to your organisation, it is crucial to understand whether you act as a controller or processor. A data controller is an organisation or person who decides what to do with personal data. Controllers bear most of the compliance obligations under the UK GDPR and several rules to follow when processing personal data.  

If you need help understanding your obligations under the UK GDPR or determine if you are a data controller, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Five Steps to Ensure My Business is GDPR Compliant?

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times