Are You the Data Controller or the Data Processor in the UK?

If your business handles any personal data - customer emails, employee records, analytics, CCTV footage - you’ll be asked a key question sooner or later: are you the data controller or the data processor?

It’s not just semantics. Your role under the UK GDPR and the Data Protection Act 2018 dictates your legal duties, contract terms, and who is on the hook if something goes wrong.

In this guide, we’ll break down the difference in plain English and help you work out your status in common small business scenarios. We’ll also outline the documents you need and the practical steps to stay compliant from day one.

Why Controller Vs Processor Status Matters For Small Businesses

Getting this right affects almost everything about how you run data in your business. In short:

• If you’re a controller, you decide why and how personal data is used. You’re responsible for transparency, choosing a lawful basis, honouring individual rights, security, and overall compliance.
• If you’re a processor, you act on a controller’s instructions. You must follow their directions, put robust security in place, help them meet their obligations, and only use subcontractors with permission.

Why this matters in practice:

• Contracts: Controllers must ensure they have a compliant Data Processing Agreement (DPA) with each processor. Processors should refuse work without one.
• Liability: Controllers are primarily accountable to the ICO. Processors have direct legal duties too (e.g. security, breach notification) and can be liable for failing to follow the law or the DPA.
• Transparency: Controllers must provide a clear, accessible Privacy Policy and manage cookies and tracking lawfully (e.g. via a compliant Cookie Policy).

The bottom line: understand your role and put the right documents and processes in place now - it will save headaches and costs later.

Quick Definitions Under UK GDPR

Data Controller

A controller decides the “purposes” and “means” of processing personal data. In plain terms, you choose why the data is collected and the key ways it’s used.

Typical small business controllers include retailers collecting customer details to fulfil orders, professional services firms storing client files, or employers holding staff records for HR and payroll.

Joint Controllers

Sometimes two or more organisations jointly decide the purposes and means. In those cases, they’re joint controllers and should have a written arrangement allocating responsibilities, especially around transparency and individual rights.

Data Processor

A processor processes personal data on behalf of a controller, following their written instructions. Think of payroll providers, outsourced IT support with access to systems, or marketing agencies running campaigns using the client’s customer lists. Processors don’t get to decide why the data is used - that’s the controller’s job.

A Practical Test – Are You A Controller Or Processor?

Ask yourself these questions. The answers usually point you in the right direction:

• Who decided to collect this data in the first place and for what purpose? If it’s your business decision (e.g. to sell, support, invoice, or market), you’re likely a controller.
• Do you decide the key means (e.g. what data fields are essential, which systems to use, how long to keep the data) for your own business purposes? That’s controller behaviour.
• Are you following a client’s detailed instructions to process their data for their purposes? That’s a processor role.
• Do you want to re-use the data for your own analytics, product improvement, or cross-selling? That suggests you’re at least a controller of those additional purposes.

Let’s walk through common small business scenarios.

Example 1: Online Shop

You collect customers’ names, addresses, emails and payment details to fulfil orders and send updates. You decide what to collect, how long to store it, and which couriers or SaaS tools to use.

You’re a controller. Your payment gateway and email service provider are likely processors for your shop data (though they may act as controllers for their own regulatory purposes, like fraud prevention).

Example 2: Marketing Agency

You run email campaigns using a client’s customer list to achieve the client’s goals. You don’t decide why the data is processed and you can’t re-use it for your own ends.

You’re usually a processor. You’ll need a DPA with your client and appropriate agreements with any sub-processors you use (e.g. email platforms).

Example 3: SaaS Platform

You provide a platform to business customers. They upload and manage their customer data inside your service. You also analyse usage to improve your product and run security monitoring.

You’re a processor for customer content you host on their behalf. You may be a controller for your own limited purposes (e.g. analytics, billing, security logs). You’ll need to separate these roles in your contracts and privacy notices.

Example 4: HR/Payroll Provider

You process employee data for client businesses according to their instructions (e.g. salaries, tax, leave records).

You’re a processor for the client’s HR data. You’ll need a DPA, technical and organisational security measures, and a clear process for breaches and subject access requests.

Example 5: Marketplace Operator

You run a marketplace connecting buyers and sellers. You decide how accounts work, what data is required, and how messaging and payments operate.

For marketplace operations and trust-and-safety, you’re likely a controller. For messages or data a seller imports solely to manage their buyers (depending on design), the seller might be a separate controller and you could be a processor for certain functions. This is a classic “mixed role” model - map it carefully and reflect it in your terms.

Common Grey Areas And How To Resolve Them

Joint Controllers With Partners

If you and a partner jointly decide to build a shared database and co-run campaigns, you might be joint controllers. You should agree in writing who handles transparency, rights requests, and breach notifications. Don’t leave it vague - the ICO expects you to explain the “essence” of the arrangement to individuals.

Processors Using Sub-Processors

Processors often need tools or subcontractors (e.g. cloud hosting, email delivery). You must get the controller’s prior authorisation (specific or general), flow down the same data protection obligations, and stay fully responsible for your sub-processors.

Mixed Roles In One Relationship

It’s normal for a vendor to be a processor for “customer content” but a controller for billing data and service analytics. That’s fine - just document it clearly. In your terms, define what you process “on behalf of” the client versus what you control for your own legitimate interests, with appropriate opt-outs and transparency.

Who Sets Lawful Basis?

Controllers choose the lawful basis (e.g. contract, legitimate interests, consent) and are responsible for privacy notices. Processors shouldn’t go beyond instructions or pick new purposes.

International Data Transfers

If data leaves the UK, controllers must ensure appropriate safeguards (e.g. UK IDTA, EU SCCs with UK addendum, or an adequacy decision). Processors must only transfer as instructed and with proper safeguards in place.

What Documents Do You Need In Place?

Once you understand your role, make sure you have the right paperwork to protect your business and meet the UK GDPR’s requirements.

If You’re A Controller

• Privacy Notice: You must tell people what you collect, why, your lawful bases, who you share data with, transfers, retention, and rights. Have a clear, tailored Privacy Policy on your website and in-app.
• Data Sharing: When you share data with another controller (e.g. a partner or supplier acting in their own capacity), put a Data Sharing Agreement in place to allocate responsibilities.
• Processor Contracts: For each vendor processing on your behalf (hosting, email, CRM), you need a compliant Data Processing Agreement and, where relevant, a detailed Data Processing Schedule covering security, retention, sub-processing, and assistance with rights and breaches.
• Cookies And Tracking: Make sure your Cookie Policy matches your site, and ensure consent flows align with PECR. If you’re unsure, review your banners against best practice for cookie banners that comply.
• Breach Readiness: Have a tested Data Breach Response Plan so you can meet the 72-hour notification window if required.
• Rights Requests: Set up a process and templates for handling a Subject Access Request, plus rectification, erasure, and objection requests within statutory time limits.

If You’re A Processor

• DPA With Each Client: Don’t start work without a signed Data Processing Agreement. It should reflect your actual services, sub-processors, and security measures.
• Security And Confidentiality: Implement proportionate technical and organisational measures, staff confidentiality, and access controls. Be ready to evidence them to clients.
• Sub-Processor Governance: Keep an up-to-date list, secure authorisation, and flow down the same data protection obligations contractually.
• Assistance Duties: You must assist the controller with breaches, DPIAs, and rights requests. Build these processes into your operations and service levels.
• Transfers: Only transfer outside the UK on the controller’s documented instructions and with appropriate safeguards.

Avoid generic templates or DIY guesswork - your documents should match your real-world data flows, tools and risk profile. That’s the best way to stay protected and credible with customers.

Operational Steps To Stay Compliant

1) Map Your Data Flows

List the data you hold, where it comes from, why you use it, who you share it with, where it’s stored, and how long you keep it. This single exercise unlocks most answers about controller/processor roles and what contracts you need.

2) Minimise And Protect

Only collect what you need. Limit access on a need-to-know basis. Encrypt where sensible. Regularly review retention and delete data you no longer require. If you’re using cloud storage, consider whether your tools are Google Drive GDPR compliant in your specific setup, or if you need additional measures.

3) Choose Vendors Carefully

Check security credentials, hosting locations, sub-processor lists, and incident response. Bake your requirements into contracts and onboarding checklists. Controllers should maintain a vendor register and review it regularly.

4) Prepare For Rights Requests

Train your team to recognise a SAR and route it quickly. Use clear intake channels and track deadlines. As a controller, plan how you’ll verify identity, search systems, redact third-party data, and respond within one month. Processors should have playbooks to support clients efficiently.

5) Keep Your Notices And Banners Current

If you add new tracking or change purposes, update your privacy and cookies information. Align your consent interface with current guidance, including offering reject all cookies choices where needed.

6) Budget For The ICO Fee

Most UK businesses processing personal data must pay the ICO data protection fee (with some exemptions). Check whether you qualify for any ICO fee exemptions and ensure you’re registered if required.

7) Train Your Team And Set Internal Rules

Give staff practical, role-based training. Put simple policies in place (for example, an Acceptable Use Policy) to set expectations around handling data, devices and systems.

FAQs About Controllers And Processors

Can You Be Both A Controller And A Processor?

Yes - many service providers are processors for “customer content” but controllers for their own platform analytics, billing, fraud detection or legal compliance. Separate the roles by purpose, document them clearly, and provide the right notices for the parts where you act as a controller.

Who Is Liable If There’s A Breach?

Controllers are accountable for overall compliance and reporting to the ICO where required. Processors have direct duties too (security, breach notification to controllers, record keeping). Each party can face enforcement if they fail their respective obligations, and contracts often allocate additional responsibilities and indemnities.

Do You Need Consent To Share Data?

Not always - consent is just one lawful basis. Controllers should assess whether sharing is necessary for contract, legitimate interests, or legal obligations, and ensure transparency. There are also limited scenarios where businesses can share personal information without consent, but you must still meet UK GDPR principles and safeguards.

What About Using Tools Like ChatGPT Or Cloud Storage - Who’s The Controller?

You’re typically the controller for data you input to these tools for your business purposes. The tool provider may be a processor or a separate controller depending on its service model. Review the provider’s terms carefully and assess your compliance, including whether features can be configured for privacy. If you’re experimenting with AI, follow sound practices outlined in ChatGPT GDPR privacy steps and avoid entering unnecessary personal data.

How Do Cookies Fit In?

Cookies and similar technologies are regulated by PECR as well as UK GDPR. In most cases, you need clear information and consent before setting non-essential cookies. Make sure your banner, consent records and Cookie Policy match what your site actually does.

Key Takeaways

• Controllers decide why and how personal data is processed; processors act on documented instructions. Many vendors operate in mixed roles - that’s fine if you document the split clearly.
• Your role determines your duties. Controllers handle transparency, lawful basis, vendor governance and rights responses; processors focus on security, following instructions, sub-processor controls and assistance duties.
• Map your data flows early. It’s the simplest way to identify whether you’re a controller or processor in each scenario and which contracts and notices you need.
• Put the right documents in place from day one: a tailored Privacy Policy, compliant Data Processing Agreement (with a Data Processing Schedule), Data Sharing Agreement where needed, a tested Data Breach Response Plan and clear SAR procedures.
• Keep operations tight: vendor due diligence, security by design, cookie consent that actually matches your site, timely responses to rights requests, and staff training.
• Don’t rely on generic templates. Tailored documents and processes that reflect your tech stack and data flows will protect your business and build trust with customers.

If you’d like help working out whether you’re a controller or processor, or you need robust privacy documents drafted for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.