Two of the key concepts within the UK General Data Protection Regulation (UK GDPR) are the roles of controllers, on the one hand, and processors, on the other. These bear the burden of compliance with UK GDPR and have overlapping but different responsibilities.
What does it mean if you are a controller?
| Controller |
|---|
| A controller is the entity which determines the purposes for which, and the means by which, personal data is processed. In essence, an organisation is likely to be a controller if it decides on the “why” and “how” of how personal data is processed. For example, an employer will be the controller of the personal data it holds concerning its employees. |
A controller bears the highest compliance burden under the UK GDPR. A controller must not only comply with, and demonstrate its own compliance with, all the data protection principles, but it can also be responsible for the compliance of its processors. A controller must be registered with the Information Commissioner’s Office (ICO) and may be subject to enforcement action by the ICO regarding a breach of its obligations.
A controller can be a “joint controller” with other controllers in relation to a set of personal data if they share a common processing purpose - for example two entities using a database in a joint marketing activity. The UK GDPR imposes additional rules in this situation.
What does it mean if you are a processor?
| Processor |
|---|
| A processor is an entity which process personal data on behalf of the controller. As such it does not define why processing is taking place and must act only on the instructions of the controller. For example, an IT service provider such as a cloud storage company is likely to be a processor as it is holding the data for the controller and not deciding how that data should be used. |
Processors have specific obligations under the UK GDPR, including ensuring the security of the data they process, reporting data breaches to controllers, and assisting controllers in meeting their obligations. Processors are also required to enter into a written agreement with controllers, outlining the terms of their engagement and specifying the security measures in place. Like controllers, they may be subject to enforcement action by the ICO.
Can you be both a controller and a processor of personal data?
Yes, one entity can be both a controller and a processor. For example, a payroll business may act as a processor as regards its clients’ data (the clients being controllers), but will be a controller of other personal data, such as data concerning its own employees.
You could even be a controller and a processor of the same personal data – but only if you are processing it for different purposes. For example, a company may have a database it owns and uses for its own marketing activities and is therefore a controller, but also uses the database to provide mailing services to clients, as their processor.
For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the commercial and technology team.
Beverley Flynn
Sinead Hughes