Understanding GDPR Data Controller in 5 easy steps

Understanding GDPR Data Controller in 5 easy steps

Understanding GDPR Data Controller

By now most of have heard of the General Data Protection Regulation (GDPR). But in case you’ve been carefully avoiding the news since 2017, it’s a law put in place by the EU which strengthens the protection of citizens’ data.

GDPR has brought with it some very stringent penalties for non-compliance. And if your business isn’t yet compliant, you could be at risk of an astronomical fine, as well as lasting brand damage.

The UK’s Information Commissioner’s Office (ICO) collected the second-highest total value of fines for data protection violations last year, with businesses paying up €43,901,000 (roughly £39.7 million) for breaching GDPR.


However, putting GDPR into practice raises some really big questions. Who is liable in the event of a breach? What is a GDPR data controller?  And who is the GDPR data processor? Let’s take a look at each in turn.

1) What is GDPR?

Before we understand the role of a GDPR Data controller, we need to tackle what GDPR is. To put it In simple terms,  GDPR forbids the misuse of EU citizens data. And it applies whether your company is based in the EU or not.

2) Who is the GDPR Data Controller?

The ‘GDPR data controller’ is the organisation that decides how and why customers personal data is processed. In other words, it’s usually your business. You collect and control the data but, crucially, you don’t necessarily have to hold or process it. However, even if you don’t process it yourself, you’re still responsible for how it is used, stored and deleted.

3) What are the GDPR Data Controller’s responsibilities?

Under GDPR Data Controllers are obliged to:

  • Protect personal data against compromise or loss by implementing strict technical and organisational measures to secure data
  • Have a legal agreement with your processors to ensure they only act on your instructions and comply with GDPR

4) Who is the GDPR Data Processor?

A data processor, on the other hand, is the company or person who processes personal data on behalf of the controller. To give a few examples, it could be your data storage provider, payroll company, accountant or marketing agency.

5) What are the GDPR Data Processor’s responsibilities?

Under GDPR, data processors have a lot more responsibilities, including:

  • Appointing a Data Protection Officer if their business processes sensitive or ‘big’ data
  • Responsibility for implementing significant security measures
  • Maintaining a record of all data processing operations under their responsibility
  • Inform the data controller(s) immediately of any leaked data
  • Become a joint controller for any data processing they carry out beyond the scope of the controller’s instructions

In Summary

GDPR has changed the way we process and control data.  And understanding your role as a data controller, processor or both is crucial – both to avoid legal hot water and protect your customers.

Are you looking to get GDPR-compliant and improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

If you are interested in easy Cyber Essentials and GDPR certification

Understanding GDPR Data Controller in 5 easy steps

What Is ‘Legitimate Interest’ In The GDPR – And How Does Direct Mail Fit In?

GDPR Legitimate Interest

A particularly notable area in the GDPR regulations includes a section about ‘legitimate interest’. This means data that falls within a legitimate interest may not require explicit consent. A person may not have to provide permission to be contacted, if they are considered a legitimate interest.

What does this even mean?

What The GDPR Actually Says About Legitimate Interest

Taken from the ICO:

Article 6(1)(f) gives you a lawful basis for processing where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Why is this important?

A Legitimate Interest Can Be Marketing

GDPR recital 47 states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

You need to follow some rules, though!

First up, you must state in your privacy policy that you may consider legitimate interests within your communications policy.

You must process data in a way that does not override the interests of the individual. For example, you may need to process personal data to create customer behaviour analyses. You cannot then share this data without anonymising it first.

However, for marketing purposes, you may consider data to be of legitimate interest even if it seems it may conflict (but not override) the rights and interests of the individual.

You may even override these fundamental rights if you are working with personal data for a public interest task, such as sharing with Government agencies upon request.

You cannot use the argument of legitimate interest if there is another way to achieve the same outcome which is less intrusive. For example, if you want to process data on customer purchases to improve a ‘recommended products’ area of your website, this data can be anonymous without the need to process identifiable factors of the individual.

What Legitimate Interest Means For Direct Mail

Legitimate interest is more flexible than explicit consent. It may be, for example, that you have never previously sent direct mail campaigns (letters, flyers, postcards: any physical communication you send to customers), and therefore have not requested explicit consent to use personal data in order to carry out such a campaign.

However, when you start using data in a new way like this, it can be considered a legitimate interest. You just need to make sure you then provide an explanation when you send your direct mail campaign about how and why you’re using data the way you are.

For example, you could add a short line that says: “You’re receiving this letter because you’re a previous customer of MyComany and we wanted to let you know about cool stuff. If you don’t want any more letters, please email [email protected]”.

Another example is that of ‘recommended purchases’ on websites. This is a legitimate interest, as is can improve the buying experience of the consumer but does involve processing personal data in order to create these recommendations.

What Does This Mean For Your Mailing Database?

Having a legitimate interest means your direct mail game is about to rocket.

You can contact your previous and new customers using direct mail under the legitimate interest clause. You can do this as long as you explain why you’re using their data in this new way (to further engage and deliver a personalised buying experience, obviously!) and provide a way for them to opt out of future direct mail campaigns.

You don’t need explicit consent to send a direct mail campaign, as long as it is considered not detrimental to the individual’s interests.

This means you can reach those who have yet to opt into your marketing or re-engage with those who have not responded to a re-consent campaign.

(Of course, just remember to NOT contact people who have already explicitly opted out of direct mail communications!).

Ready to create a killer direct mail campaign to re-engage with your customers? Keep an eye out on tomorrow’s blog, which is all about making your flyers and leaflets GDPR compliant.