Understanding GDPR Data Controller

By now most of have heard of the General Data Protection Regulation (GDPR). But in case you’ve been carefully avoiding the news since 2017, it’s a law put in place by the EU which strengthens the protection of citizens’ data.

GDPR has brought with it some very stringent penalties for non-compliance. And if your business isn’t yet compliant, you could be at risk of an astronomical fine, as well as lasting brand damage.

The UK’s Information Commissioner’s Office (ICO) collected the second-highest total value of fines for data protection violations last year, with businesses paying up €43,901,000 (roughly £39.7 million) for breaching GDPR.


However, putting GDPR into practice raises some really big questions. Who is liable in the event of a breach? What is a GDPR data controller?  And who is the GDPR data processor? Let’s take a look at each in turn.

1) What is GDPR?

Before we understand the role of a GDPR Data controller, we need to tackle what GDPR is. To put it In simple terms,  GDPR forbids the misuse of EU citizens data. And it applies whether your company is based in the EU or not.

2) Who is the GDPR Data Controller?

The ‘GDPR data controller’ is the organisation that decides how and why customers personal data is processed. In other words, it’s usually your business. You collect and control the data but, crucially, you don’t necessarily have to hold or process it. However, even if you don’t process it yourself, you’re still responsible for how it is used, stored and deleted.

3) What are the GDPR Data Controller’s responsibilities?

Under GDPR Data Controllers are obliged to:

  • Protect personal data against compromise or loss by implementing strict technical and organisational measures to secure data
  • Have a legal agreement with your processors to ensure they only act on your instructions and comply with GDPR

4) Who is the GDPR Data Processor?

A data processor, on the other hand, is the company or person who processes personal data on behalf of the controller. To give a few examples, it could be your data storage provider, payroll company, accountant or marketing agency.

5) What are the GDPR Data Processor’s responsibilities?

Under GDPR, data processors have a lot more responsibilities, including:

  • Appointing a Data Protection Officer if their business processes sensitive or ‘big’ data
  • Responsibility for implementing significant security measures
  • Maintaining a record of all data processing operations under their responsibility
  • Inform the data controller(s) immediately of any leaked data
  • Become a joint controller for any data processing they carry out beyond the scope of the controller’s instructions

In Summary

GDPR has changed the way we process and control data.  And understanding your role as a data controller, processor or both is crucial – both to avoid legal hot water and protect your customers.

Are you looking to get GDPR-compliant and improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

If you are interested in easy Cyber Essentials and GDPR certification

Would love your thoughts, please comment.x
Share This