Data controller or data processor? Understanding your responsibilities and risks

Businesses handle personal data in different ways. Some organisations referred to as “data controllers” call the shots, as they decide what the data is for and how it’s used. Others process the data on behalf of the data controller and are known as “data processors”.

By Archie Stephens

Frustrated poet

February 2018

Controller Processor

So are you a data controller or a data processor? It’s important to understand this distinction as it defines your responsibilities under EU data protection law. Previously, data processors could avoid direct liability under the law but new obligations under the GDPR changes things.

Here, we’ll explain these changes, help you correctly identify whether you fall into the processor or controller camp and outline the obligations that apply to your organisation.

What is a data controller?

The data controller is the person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.

Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details and web identifiers (such as usernames). It also includes sensitive (or special category) personal data such as genetic and biometric information. 

So let’s say you run an e-commerce business. You’re going to collect the ID, contact and payment details of customers. The primary purpose of this is pretty obvious; to execute orders! You might have secondary purposes in mind, too; making future sales predictions and telling existing customers about new offers, for instance. In this example, the “means of processing” might be via a Cloud-based CRM system.

Can a data controller be a company or an individual?

A controller can be a company or other legal entity (such as an incorporated partnership, association or public authority), or an individual (including a self employed professional). However an individual processing personal data for a purely personal or household activity is not subject to the GDPR.

What is a data processor?

Data processing is a very wide term that basically means anything that is done to or with personal data. You might collect it manually or automatically, analyse it, use it for marketing or research purposes, or store it on behalf of someone else. In all of these situations you are “processing” that data. 

A “processor” has a very distinct meaning under the GDPR. This refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.

Back to the example of the e-commerce business. It offers an extended warranty period on its goods. In order to keep track of any claims that might arise from this, it has decided to keep all customer purchase records for a period of three years. It hires a company to store this data on its behalf via an online archive system. This company is a “data processor” on behalf of the e-commerce business.

What is the difference between a data controller and a data processor?

The primary responsibility for compliance rests with the controller. It’s your job to make sure individuals’ rights are upheld. The Privacy Compliance Hub gives the full lowdown on all areas of compliance data controllers need to get to grips with, but a few obligations deserve special mention:

  • Get registered (if you’re not already). Organisations that decide how personal data is processed must register with the regulator (in the UK, it’s the ICO). There’s a handy registration self-assessment tool for this.
  • Get on top of your documentation. In areas such as defining what data you need to collect, data sharing and security breach management, the GDPR places obligations on you to maintain full records. The Privacy Compliance Hub can offer precisely the methodology you need to keep on top of this.
  • Choose your processors wisely. If you outsource data processing tasks, you must look closely at potential partners’ privacy and security procedures. Only select data processors that provide proof that they will be able to perform their duties in compliance with the GDPR.

Data processors have direct statutory obligations too under the GDPR, such as:

  • Restrictions of subcontracting. As a processor, do you contract out certain activities (storage or formatting, for instance)? If so, the GDPR states that you need specific permission from the controller for this and you will need a contract with this subprocessor containing special provisions.
  • Security and reporting. If you suffer a security breach, you must notify the controller “without undue delay”.
  • Documentation. As with controllers, you are obliged to keep good records to demonstrate compliance. This includes a record of all categories of processing activities. Need to get to grips with this? The Privacy Compliance Hub can help.

Can a data processor also be a data controller?

In certain circumstances, yes. Here’s an example…

You carry out data analytics work on behalf of charities. You’ve been tasked with analysing a particular dataset containing personal information and producing a future needs prediction report. You are a “data processor” for that client.

Meanwhile, for your own research purposes, you want to analyse the information from datasets from lots of clients to produce a meta-report (assuming you get consent from the data subjects!). You’re processing the same data as before, but this time, you’re using it for a purpose that you have control over. In other words, for this, you’re a “data controller”.

If you would like a more comprehensive guide to data controllers and data processors we’d be happy to send you our very own Privacy Tip put together by our in house privacy experts. Just pop in your details below and it will be sent to you immediately by email.


Can data processors also be fined under the GDPR?

Under previous data laws, the biggest risk faced by processors who failed to live up to reasonable standards was essentially a claim for breach of contract by the controller.

But the GDPR marks a big shift. For the first time, processors face direct regulatory intervention – including reprimands and possible fines – in the event of a compliance breach. In the UK, the ICO can impose fines of up to £17.5 million or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.

By identifying the procedures and tools you need to get compliance right, you should have everything you need to stay on top of your obligations.

For more information on data protection compliance, explore the rest of our hub here. If you’d like more information on how The Privacy Compliance Hub can bring your organisation up to speed quickly and securely, don’t hesitate to get in touch!

More to watch and read