Are You a Controller Under the UK GDPR?

Not sure whether your business is a “controller” under the UK GDPR? You’re not alone. Getting this right matters because controllers carry the bulk of data protection responsibilities – and the risks if things go wrong.

In simple terms, you are a controller under the GDPR if you decide why and how personal data is processed in your business. Most UK SMEs fall into this category for at least some of their activities (think: running a website, marketing, taking bookings, paying staff).

In this guide, we’ll explain what “controller” really means for a UK small business, how to test whether you’re the controller or a processor in common scenarios, and the key duties you need to meet under the UK GDPR and Data Protection Act 2018 – with practical steps to stay compliant.

What Does “Controller” Mean Under UK GDPR?

Under the UK General Data Protection Regulation (UK GDPR), a controller is the person or business that determines the purposes and means of processing personal data. Put another way: if you decide why personal data is collected and what happens to it, you’re acting as the controller.

Three roles are helpful to keep in mind:

• Controller – the decision-maker. You decide why personal data is needed and what will be done with it.
• Processor – the service provider that processes personal data on documented instructions from the controller. They don’t decide the purpose.
• Joint controllers – two or more parties jointly decide purposes and means. They must transparently apportion responsibilities between them.

Personal data covers any information that can identify a person (names, emails, customer IDs, IP addresses, CCTV images, cookie identifiers, etc.). Processing is any operation performed on that data (collecting, storing, using, sharing, deleting).

In practice, most small businesses are controllers for the data they collect directly from customers, website users, and employees. They may simultaneously be processors for another client if they handle data strictly under that client’s instructions.

You Are A Controller Under The GDPR If You Decide The Purpose Or Means Of Processing

A useful way to test your role is to ask a few simple questions. If you answer “yes” to one or more of these, you’re likely a controller for that processing activity:

• Do you decide why you need personal data (e.g., to sell your product, market to prospects, or manage employees)?
• Do you decide which personal data is collected (e.g., sign-up fields on your website, ID documents for KYC)?
• Do you decide who gets access (e.g., your team, certain vendors, partners)?
• Do you decide how long it’s kept and when it’s deleted?
• Do you set the standards for security and retention within your business?
• Do you choose the legal basis for processing and how individuals’ rights are handled?

If your role is limited to following a client’s detailed instructions about personal data – without deciding the purpose – then for that specific activity, you’re more likely a processor.

It’s possible to be a controller for some activities and a processor for others. For example, a marketing agency will be a controller for its own HR data and CRM leads, but may be a processor when running targeted campaigns for a client using that client’s customer lists.

Common Small Business Scenarios: Are You The Controller Or Processor?

Let’s make this concrete with real-world examples. In each scenario, decide whether you’re determining purposes and means (controller) or following instructions (processor).

Scenario 1: E‑Commerce Website

You run an online shop. You collect customer names, emails, addresses, and payment details to fulfil orders and send product updates.

• Your role: Controller for your customers’ personal data. You decide why you collect it (to sell and deliver products, for marketing) and how it’s used and stored.
• Third parties: Your payment gateway and hosting provider are usually processors acting on your instructions (though some services act as independent controllers for parts of what they do, such as fraud screening). You should have a Data Processing Agreement in place with processors.
• What this means: You need a clear Privacy Policy on your site, a Cookie Policy if you use cookies/analytics, and you must map your data flows and legal bases for processing.

Scenario 2: B2B Services Firm (Marketing, IT, Design, Consultancy)

You provide services to other businesses. Sometimes clients give you spreadsheets of their customers to work with.

• Your role: Often a processor where you handle the client’s customer data only on their instructions (e.g., sending a campaign). You’re a controller for your own sales pipeline, website users, and staff data.
• Third parties: If you store client data in tools like cloud storage or email platforms, those tools are your sub‑processors. You need that Data Processing Agreement and must pass on GDPR terms to sub‑processors.
• Watch out for: Scope creep. If you start using client data for your own purposes (e.g., adding their contacts to your marketing), you’ve likely become a controller for that misuse – and risk a breach.

Scenario 3: Employer Handling Staff Data

You employ staff and manage payroll, performance, and health and safety records.

• Your role: Controller. You decide why and how employees’ data is processed to run the business and meet legal obligations.
• What this means: You must provide employee privacy information, have appropriate retention and access rules, and respond to rights requests within legal timeframes (see SAR deadlines).

Scenario 4: CCTV And Access Control

You install CCTV in your shop or office to deter theft or protect staff.

• Your role: Controller. You determine why the cameras are used, where they point, how long footage is kept, and who can view it.
• What this means: Clear signage, a privacy notice covering CCTV, restricted access, and proportional retention are essential. If your vendor hosts the footage, they’re generally your processor.

Scenario 5: Using Cloud Tools

You store customer files in a cloud drive or use SaaS tools to run your business.

• Your role: Still the controller for your customers’ and staff’s data. The cloud provider is usually your processor.
• What this means: Do due diligence on security and data location, set instructions in your agreements, and check whether the provider’s features align with your compliance needs. If you’re weighing a platform’s suitability, our practical look at Google Drive and GDPR is a helpful reference point.

What Are A Controller’s Legal Duties In The UK?

As a controller, your business must meet the UK GDPR’s core principles and obligations. Here are the essentials in plain English.

Lawfulness, Fairness, Transparency

Every processing activity needs a lawful basis (e.g., contract, legitimate interests, consent in specific contexts, legal obligation). You must be transparent by telling people what you collect and why – typically via a layered privacy notice and site Privacy Policy.

Purpose Limitation And Data Minimisation

Collect only what you need for a specific, stated purpose – and don’t repurpose it without a proper basis. Avoid collecting extra fields “just in case.”

Accuracy And Storage Limitation

Keep data accurate and up to date, with clear deletion schedules. Don’t keep personal data longer than necessary for the purpose.

Security (Integrity And Confidentiality)

Implement appropriate technical and organisational measures: access controls, encryption at rest/in transit where proportionate, staff training, role-based access, vendor due diligence, and incident response.

Accountability

You need to be able to show your working: policies, records of processing activities, risk assessments (including DPIAs where required), and contracts with processors. This is the backbone of your compliance programme.

Individual Rights

Controllers must recognise and respond to rights requests (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Time limits are tight, so set up processes and track SAR deadlines carefully.

Cookies And Direct Marketing

If you use non-essential cookies (analytics, advertising) you’ll need consent and clear information. Put a compliant banner in place and publish a Cookie Policy. For email/SMS marketing, follow PECR rules, including the “soft opt‑in” where it applies.

Processor Management

When you engage processors (cloud tools, marketing platforms, payroll providers), you must have a written Data Processing Agreement with UK GDPR Article 28 clauses, set clear instructions, and monitor compliance. If data is transferred outside the UK, ensure a transfer tool is in place and assess protections.

Data Sharing With Other Controllers

If you share personal data with another independent controller (not a processor), document the purposes, lawful basis, and responsibilities. Where regular sharing occurs, a Data Sharing Agreement can help clarify roles, security, and incident handling.

Fees, Registration, And The ICO

Most businesses must pay a data protection fee to the ICO unless an exemption applies. It’s quick to check – start with the ICO’s self‑assessment or review practical guidance on ICO fee exemptions.

Breach Response

Have an incident response plan. If a breach risks individuals’ rights, you must notify the ICO within 72 hours, and sometimes notify affected individuals too. Controllers are responsible for coordinating the response (even if a processor caused the issue).

Essential Documents And Contracts Controllers Should Have

To meet the accountability principle and protect your business, it’s wise to formalise your compliance with tailored documents and contracts. At a minimum, most UK SMEs acting as controllers should have:

• Website Privacy Notice and internal privacy policy that reflect your data flows and lawful bases, often published as a customer‑facing Privacy Policy.
• Cookie controls and a clear Cookie Policy, including consent management for non‑essential cookies.
• Records of Processing Activities (ROPA) to document your purposes, categories of data, retention periods, security measures, and recipients.
• Data Processing Agreement with each processor covering Article 28 requirements and sub‑processor rules. You can embed these into your vendor onboarding process using a standard Data Processing Agreement.
• Data Sharing Agreement where you share data with other controllers on a regular basis, to set out roles, lawful bases, and security – a Data Sharing Agreement helps mitigate responsibility gaps.
• Rights Request (DSAR) Playbook and logs to manage identity checks, scoping, exemptions and the one‑month response period (see our explainer on SAR deadlines).
• Security And Breach Response procedures – who does what, within what timeframe, and how you assess risk and notification duties.

If you prefer an integrated approach that pulls these pieces together, a tailored GDPR toolkit can save time and reduce risk by standardising processes across your business. Many SMEs opt for a pragmatic bundle to cover the essentials from day one.

Practical Steps To Stay Compliant (And Avoid Fines)

Here’s a sensible, no‑nonsense roadmap for controllers who want to get the privacy basics right without turning it into a full‑time job.

1) Map Your Data And Identify Your Roles

• List your processing activities: website analytics, checkout, CRM, support tickets, payroll, CCTV, marketing, events.
• For each activity, confirm whether you’re the controller or a processor (or joint controller).
• Note what personal data you collect, where it’s stored, who accesses it, and retention periods.

2) Choose A Lawful Basis And Minimise Data

• Decide the lawful basis per activity (contract, legitimate interests, consent, legal obligation, etc.).
• Cut any personal data you don’t truly need. Shorten retention where possible.

3) Sort Your Notices, Policies, And Cookies

• Publish an accurate Privacy Policy that matches your data map.
• Implement a compliant cookie banner and a clear Cookie Policy.
• Provide employee privacy information and onboarding training.

4) Tidy Up Your Vendor Contracts

• Identify all processors and sub‑processors (hosting, SaaS, email, payment, HR platforms).
• Put a Data Processing Agreement in place with each processor, ensuring you have audit rights, security standards, and breach notification obligations.
• Where you share data with other controllers, document roles with a Data Sharing Agreement and align on retention and security.

5) Build A Lightweight Rights And Breach Process

• Set up a simple DSAR workflow: identity checks, search locations, review for third‑party data, and a timetable aligned with SAR deadlines.
• Create a breach playbook: how incidents are spotted, triaged, and (if needed) reported within 72 hours.

6) Keep Evidence (Accountability)

• Maintain records of processing, DPIAs for higher‑risk processing, training logs, and vendor due diligence.
• Calendar reviews for retention periods and policy updates.
• Check whether you must pay the ICO data protection fee, or whether an exemption applies – it’s easy to slip up here, so revisit ICO fee exemptions annually.

7) Make It Usable For Your Team

• Privacy compliance sticks when it’s practical. Keep policies short, provide checklists, and embed privacy into day‑to‑day tools.
• Train staff on data handling, phishing awareness, and escalation paths – little mistakes are what usually cause breaches.

If this feels like a lot, don’t stress. You can phase it in and start with the highest‑risk areas first (website, marketing, vendor contracts), then build out the rest. The most important thing is to set clear responsibilities and make privacy a routine, not a one‑off project.

Key Takeaways

• You are a controller under the GDPR if you decide the purposes or means of processing personal data. Most UK SMEs are controllers for their customers’, users’ and employees’ data.
• Your controller duties include lawful bases, transparency, minimisation, security, accountability, and responding to rights requests under the UK GDPR and Data Protection Act 2018.
• Publish an accurate customer‑facing Privacy Policy, implement cookie consent with a Cookie Policy, and maintain records that prove your compliance.
• When using vendors, put a Data Processing Agreement in place and perform sensible due diligence. If you share data with other controllers, document roles with a Data Sharing Agreement.
• Build simple processes for rights requests and incidents, and track your timelines against SAR deadlines.
• Don’t forget the ICO data protection fee – check for ICO fee exemptions and review annually as your business evolves.

If you’d like help confirming whether you’re a controller or processor in a tricky scenario, or you need tailored documents that actually fit how your business works, our experienced team can support you. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.