The EU and UK General Data Protection Regulation (GDPR) defines the role of the Data Controller, making them responsible for compliance and risk management under data protection laws. Understanding the data controller concept is essential to understand organisational obligations and to manage data protection legal risk.

Defining the Data Controller

A Data Controller is an entity (natural or legal person, public authority, agency, or other body) that determines the purposes and means of processing personal data. Simply put, they decide why and how personal data is used.

For example, a supermarket delivery service that collects customer addresses for order fulfillment and marketing acts as a Data Controller. Even if they outsource data processing, they are fully accountable for ensuring compliance to data protection obligations.  

Core Obligations of a Data Controller under GDPR

Under UK GDPR, Data Controllers have several key obligations:

  • Establish Lawful Basis: Controllers must establish a lawful basis for processing data, such as consent, contractual necessity, or legal obligation.

  • Secure Data: They must implement technical and organisational safeguards, such as access controls, anonymisation, pseudonymisation, and encryption.

  • Maintain Data Accuracy: If a data subject informs the Controller that their information is incorrect, the Controller must update it everywhere it is stored.  

  • Adhere to Data Subject Rights: Data Controllers must also respect data subject rights. Individuals can request access to their data (through a Data Subject Access Request), demand rectification of inaccuracies, and in some cases, request erasure ("right to be forgotten").

  • Facilitating Data Portability: Data Controllers must comply with the right to data portability, allowing individuals to obtain and transfer their personal data in a structured, commonly used, and machine-readable format. This applies when processing is based on consent or contract and carried out by automated means. Controllers must ensure secure transfer mechanisms to prevent fraud or data breaches while making the process straightforward for users.

  • Dispose of Data: Controllers must also securely dispose of data when it is no longer needed, in all formats, including backups and hard copies.

Data Controllers and Processors

Data Controllers may appoint Data Processors to act on their behalf, however the Controller remains overall accountable for the Processor’s actions, and will have Data Processing Agreements in place to set out expectations and obligations including security controls and what to do in the event of a data breach.

Risk Management Considerations

In reviewing and assessing the risk and control environment around Data Controller responsibilities, consider:

  • Conduct Data Protection Impact Assessments (DPIAs): Evaluate risks and document mitigations for higher-risk processing activities, such as where sensitive personal data is involved.

  • Maintain Records of Processing Activities (RoPA): Keep comprehensive records, detailing categories of data processed, purposes, and retention periods, which are critical for regulatory reviews and internal audits.

  • Monitor Third-Party Risks: Data Controllers are accountable for the data regardless of who is processing it. Vendors processing data on your behalf must meet the same security and compliance standards as your organisation. To assess this, perform regular assessments, focusing on the vendor’s own GDPR compliance, security controls, and incident response capabilities. Ask for independent assurance such as a SOC2 report.

  • Be Prepared for a Data Breach: Establish and routinely test an incident response plan, ensuring compliance with GDPR’s 72-hour breach notification requirement. This should include third party data processors from where the breach may arise.

  • Adopt Privacy by Design and Default: Incorporate data protection, privacy and security controls and safeguards into products, services, and processes from the outset; and minimise what data about natural persons is collected in the first place.