Data Controllers and Data Processors have specific obligations and under GDPR these have been significantly amended, even though the concepts of the data ‘controller’ and ‘processor’ are essentially unchanged.

What is a Data Controller?

A Data Controller determines the purposes and means of processing personal data.

Who is the Data Controller in an organisation?

A Data Controller is usually the owner of a business or organisation, and they have overall responsibility for data protection compliance.

An individual may be given data protection responsibilities within the practice e.g. Manager, Information Governance Lead or Data Protection Lead, however the overall responsibility for data protection always lies with the Data Controller.

A Data Controller must:

  • Comply with the Data Protection Act
  • Comply with GDPR
  • Respect individual’s rights for privacy
  • Work within the guidance scope of the Information Commissioning Office
What is a Data Processor?

A Data Processor is responsible for processing personal data on behalf of a data controller. They are required to maintain records of personal data and processing activities. They have legal liability if they are responsible for a breach.

Who would be a Data Processor?

Anyone who collects and processes information in the organisation on behalf of the data controller is a data processor.

A Data Processor must:

  • Only process data on behalf of the data controller
  • Be responsible for the data which is collected and processed
  • Maintain the data correctly.