If your organisation processes personal data, understanding your role under the UK General Data Protection Regulation (‘UK GDPR’) is essential. One of the key concepts set out in the UK GDPR that you will need to have an understanding of is that of data controllers and data processors. These roles define your legal responsibilities and obligations when it comes to handling personal data.
A data controller determines the purposes and means of processing personal data, while a data processor processes the data on behalf of the controller. Failing to clearly identify whether you’re a controller, a processor, or both can lead to serious compliance issues.
This blog aims to explain what each role means, outline their key responsibilities and highlight the importance of the data processing agreement that governs the relationship between the two, along with some useful tips to help your organisation when it comes to compliance with these rules.
If you need expert support in navigating your responsibilities under the UK GDPR, contact NormCyber today to speak with our specialist Data Protection team.
What is a Data Controller?
A data controller is the party that determines the purposes and means of processing personal data. In simple terms, the controller decides why and how personal data should be processed.
What is a Data Controller responsible for?
- Ensuring there is a lawful basis for the processing.
- Providing clear privacy information to individuals (data subjects).
- Upholding data subject rights, such as access, rectification and erasure.
- Implementing appropriate technical and organisational measures to ensure data security.
- Being accountable for all data processing activities and documenting compliance efforts.
In summary, a data controller has primary responsibility for ensuring that personal data is handled in accordance with data protection laws, as they have the decision-making power over how and why data is processed.
Examples of Data Controllers
- A business collecting customer and/or business contact data to fulfil orders or provide a service.
- A healthcare provider storing patient information.
- A school managing student records.
- A business collecting information about its employees.
In many cases, the controller is the organisation that owns the relationship with the individual. For example, a hospital handling patient records or an employer processing employee information. They collect the information directly and set out how it’s going to be used.
Advice for Data Controllers
- Provide a clear privacy notice to data subjects
- Carry out due diligence when appointing data processors and engage compliance data processors
- Conduct Data Protection Impact Assessments where necessary
- Keep records of your data processing activities
- Ensure you have in place a process for responding to data subject rights
- Notify the ICO of personal data breaches within 72 hours if the breach is likely to result in harm or risk to the affected individuals
What is a Data Processor?
A data processor is the party that processes personal data on behalf of the controller. The processor acts only under the instructions of the controller and doesn’t decide why or how the data is used.
What Is a Data Processor Responsible For?
- Processing data only on documented instructions from the controller.
- Implementing appropriate security measures to protect data.
- Assisting the controller in meeting its GDPR obligations (e.g., with data breaches or subject access requests).
- Keeping records of processing activities.
- Not engaging another processor (sub-processor) without the controller’s approval.
Examples of Data Processors
- A cloud storage provider hosting personal data for a client.
- A payroll company handling employee salary data for another business.
- An email marketing service processing contact lists on behalf of a brand.
It’s important to note that processors can be held directly liable under the UK GDPR, processors can be held directly liable – for example, the ICO issued a fine of £6.09 million in 2024 after poor security led to a ransomware attack affecting NHS data.
Data Processing Agreements (DPA)
Whenever a controller engages a processor, the UK GDPR requires a Data Processing Agreement (DPA) to be in place. This legally binding contract sets out the terms under which the processor will handle personal data on behalf of the controller and ensures that the processor only processes that data for the specified purposes.
What Should a Valid DPA Include?
- The subject matter and duration of the processing.
- The nature and purpose of the processing.
- The types of personal data and categories of data subjects.
- The obligations and rights of the controller.
- The obligations and rights of the processor.
A valid DPA should also include commitments from the processor to:
- Adopt appropriate technical and organisational measures for the protection of the personal data.
- Only act on the controller’s instructions.
- Ensure confidentiality and security.
- Report any data breaches involving the controller’s personal data to the controller without undue delay.
- Assist with data subject rights and compliance obligations.
- Delete or return personal data after processing ends.
The DPA is a critical tool for demonstrating accountability and protecting the rights of individuals whose data is being processed.
Conclusion
Under the UK GDPR, clearly defining whether you’re a data controller or a data processor is more than just a formality—it’s the foundation of your data protection responsibilities. Controllers bear the primary responsibility for data processing, while processors must follow strict rules when handling data on the controller’s behalf.
If your organisation works with external vendors or manages personal data on behalf of others, having a robust data processing agreement in place is a legal requirement. Taking the time to understand and respect these roles will not only keep you compliant but also build trust with your customers and partners.
Here at NormCyber, we take the guesswork out of GDPR compliance, offering expert guidance tailored to your organisation. Whether you’re unsure about your obligations or if your current processes are up to standard, get in touch with our team for clear answers. From annual audits to day-to-day advice, we’ll help you meet your legal duties with confidence and credibility.
Written by Isabella Gibson
Isabella Gibson is a qualified data protection practitioner and a member of the NormCyber data protection team. As a Data Protection Associate Isabella delivers the the Data Protection as a Service (DPaaS) Solution to norm’s widely varied client base.
