Controllers and processors

  • Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the UK GDPR and the fair treatment of individuals.
  • Your obligations under the UK GDPR will vary depending on whether you are a controller, joint controller or processor.
  • The Information Commissioner’s Office (ICO) has the power to act against controllers and processors under the UK GDPR.
  • Individuals can bring claims for compensation and damages against both controllers and processors.
  • You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
  • Whether you are a controller or processor depends on several issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
  • Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.