Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, chances are you handle personal data every day - customer enquiries, employee records, mailing lists, online orders, or even CCTV footage.
That’s where GDPR comes in. One of the most important questions to get clear on early is what UK GDPR means by a data controller.
Understanding whether you’re a data controller (and when) isn’t just legal jargon. It affects what you must do to stay compliant, what you must put in your contracts, and what you’ll be responsible for if something goes wrong.
Below, we’ll break down what a data controller is under UK GDPR, what a data controller does, how it differs from a data processor, and what practical steps you can take to protect your business from day one.
What Is A Data Controller Under GDPR?
Let’s start with a simple, practical way to define data controller.
Under UK GDPR (which is the UK’s version of GDPR following Brexit, read alongside the Data Protection Act 2018), a data controller is the person or organisation that decides why and how personal data is processed.
In other words, if your business decides:
- why you’re collecting personal data (the purpose), and
- how you’ll use it (the key decisions about the processing),
…you’re acting as the data controller.
This is why people often ask “what’s a data controller?” - and for many small businesses, the practical answer is that you are the data controller for most of the personal data you handle.
Personal Data: What Counts?
Personal data is any information that can identify a living individual, either on its own or combined with other info. Common examples include:
- Names, email addresses, phone numbers
- Home or delivery addresses
- IP addresses and device identifiers (often through cookies)
- Customer account details
- Employee HR files
- CCTV footage where people are identifiable
Once you’re dealing with any of the above, the controller/processor question matters.
What Does A Data Controller Do? Core Responsibilities For UK Businesses
So, what does a data controller do under GDPR?
At a high level, the controller is the party with the main legal responsibility for compliance. You can outsource tasks, but you generally can’t outsource accountability.
Here are the key duties most small businesses should understand.
1) Have A Lawful Basis For Processing
As a controller, you must have a lawful basis every time you process personal data. The most common lawful bases for small businesses include:
- Contract (e.g. you need the data to fulfil an order or deliver a service)
- Legal obligation (e.g. keeping certain employment/payroll records where required by law - this is not tax advice)
- Legitimate interests (e.g. certain types of marketing or fraud prevention, if balanced properly)
- Consent (useful in some contexts, but it must be real, informed, and easy to withdraw)
This isn’t just a “tick-box” exercise - your lawful basis affects what you tell people, how long you keep data, and what rights apply.
2) Be Transparent (Privacy Notices)
Controllers have to tell people what’s happening with their data in a clear, accessible way. For most businesses, that means having a proper Privacy Policy (and making sure it matches what you actually do).
Typically, your privacy information should explain:
- What personal data you collect
- Why you collect it (purposes)
- Your lawful bases
- Who you share it with (e.g. IT providers, delivery companies)
- How long you keep it
- How people can exercise their rights
- How to complain (including to the ICO)
3) Protect The Data (Security Measures)
UK GDPR requires controllers to implement appropriate technical and organisational security measures.
“Appropriate” will depend on your business, but common examples include:
- Strong access controls (only staff who need data can access it)
- Multi-factor authentication for key systems
- Encryption for devices and backups
- Staff training and clear internal policies
- Supplier due diligence before sharing data
If your staff handle personal data on business devices (or personal devices for work), having an Acceptable Use Policy is often a practical way to set clear rules and reduce risk.
4) Use The Right Contracts When Third Parties Handle Data
Most small businesses use third-party suppliers who will touch personal data - for example:
- Cloud storage and email services
- CRM systems
- Bookkeeping and payroll services
- Marketing platforms
- Customer support tools
If those suppliers are processing personal data on your behalf, you’ll usually need a compliant Data Processing Agreement (often called a “DPA”). (In some arrangements, the supplier may be an independent controller or joint controller instead - so it’s worth checking roles carefully.) This is one of the most commonly missed controller obligations.
5) Handle Individual Rights Requests (Including DSARs)
Controllers need a process for responding to individuals’ rights requests, including subject access requests (DSARs). People may ask to:
- Access their data
- Correct inaccurate data
- Delete data (in some circumstances)
- Object to certain processing
- Restrict processing
- Receive data portability (where applicable)
If you don’t have a clear internal process, DSARs can become time-consuming fast - especially if you’re searching across inboxes, spreadsheets, and multiple platforms.
6) Be Ready For Data Breaches
If personal data is lost, accessed unlawfully, or disclosed accidentally, you may have a personal data breach.
As a controller, you may need to:
- Investigate and contain the breach quickly
- Record what happened and what you did
- Notify the ICO within 72 hours in certain cases
- Notify affected individuals if there’s a high risk to them
Having a Data Breach Response Plan helps you act quickly under pressure (and show you took compliance seriously).
Data Controller Vs Data Processor: What’s The Difference (And Why It Matters)?
A lot of confusion around the question “what is a data controller under GDPR?” comes from the fact that controller and processor roles can sound similar - especially when you outsource things.
Here’s the clean distinction:
- Data controller: decides the purpose and key means of processing (“why” and “how”)
- Data processor: processes personal data on behalf of the controller, following the controller’s instructions
A Quick Example
Imagine you run an eCommerce brand.
- You collect customer addresses to ship products. You decide why (delivery) and how (using your order platform) - you’re the controller.
- You use a fulfilment warehouse to pack and ship orders. They handle customer names and addresses only to deliver your products - they’re usually a processor (or sometimes a separate controller for parts of their operations, depending on the arrangement).
Why This Difference Is So Important
Controller vs processor affects:
- Who must provide privacy information to individuals
- Who is primarily responsible for GDPR compliance decisions
- What contract clauses you must have in place
- Who handles DSARs and other rights requests
- Liability exposure if data protection rules are breached
It can also affect your relationships with business customers. If you sell B2B services and handle personal data for clients (e.g. marketing services, IT support, HR software), they may ask whether you’re acting as a controller or processor - and your answer should be accurate.
Common Data Controller Scenarios For Small UK Businesses
Many small businesses act as a controller by default, because they set the purpose for collecting data (selling, hiring, delivering, marketing).
Here are some common “real life” controller situations.
You’re A Data Controller If You…
- Collect customer details through your website contact form
- Take online orders and store customer accounts
- Build an email marketing list
- Use cookies/analytics tools to understand website traffic
- Employ staff and keep HR records, timesheets, or payroll details
- Collect supplier or contractor contact details for accounts
You Might Be A Joint Controller If You…
Joint controllers are two or more organisations that jointly decide the purposes and means of processing.
This can happen where you collaborate closely with another business - for example, running a shared event, a co-branded campaign, or a joint customer database.
Joint controllership can be tricky, because you’ll need to clearly allocate responsibilities and tell individuals the essence of that arrangement. It’s one of those areas where getting tailored advice early can save a lot of confusion later.
You Might Wear “Two Hats”
It’s also possible to be a controller for some data and a processor for other data, depending on the service you provide.
For example, if you run a marketing agency:
- You’re likely a controller for your own staff records, supplier contacts, and business development leads.
- You may be a processor when you manage a client’s mailing list and send newsletters on their instructions.
This “two hats” situation is common - and it’s why your contracts and internal processes need to be clear about which role applies when.
How To Stay Compliant As A Data Controller: A Practical Checklist
Being a controller can feel like a big responsibility - but in practice, you can make it manageable by putting the right foundations in place.
Here’s a practical checklist you can work through.
1) Map The Personal Data You Hold
Start by listing what personal data you collect, where it comes from, where it’s stored, and who can access it.
Include:
- Customer data (sales, enquiries, support)
- Employee data (HR, payroll, performance)
- Supplier/contractor data
- Website data (cookies, analytics, logs)
This step often reveals hidden risks (like shared inboxes, unencrypted spreadsheets, or old mailing lists you’re still keeping “just in case”).
2) Check Your Privacy Information Matches Reality
If you collect personal data through a website, your privacy policy and cookie approach should reflect what you actually do.
For many small businesses, a properly drafted Privacy Policy is a strong starting point, but it must be accurate and kept up to date as your systems change.
3) Put Processor Contracts In Place (And Review Them)
Whenever you use suppliers to process personal data on your behalf, you’ll usually need terms that meet GDPR requirements.
A dedicated Data Processing Agreement can help cover the required points, such as confidentiality, security, sub-processing, and help with rights requests.
Tip: don’t assume a supplier’s standard terms cover you properly - many are written to protect them, not you.
4) Build Your Internal Rules (So Staff Don’t Guess)
A lot of GDPR issues aren’t caused by “bad intentions” - they happen when busy staff improvise.
Clear internal documents (and basic training) can go a long way, especially for:
- How to handle customer enquiries containing sensitive information
- How to store and share files
- Rules on personal devices and remote work
- What to do if an email is sent to the wrong person
An Acceptable Use Policy is one way to set ground rules without turning your business into a bureaucracy.
5) Plan For “When”, Not “If”, A Breach Happens
Even with strong security, incidents happen - lost phones, phishing emails, misdirected attachments, compromised passwords.
A Data Breach Response Plan can help you:
- act quickly and consistently,
- reduce legal and reputational fallout, and
- document your actions (which is critical if the ICO gets involved).
6) Get The Right Level Of Support
If you’re growing, hiring, scaling your tech stack, or working with lots of customer data, it can be worth getting a more complete compliance setup rather than trying to piece it together.
Depending on your needs, you may consider a tailored GDPR Package to cover the key documents and risk areas in a joined-up way.
The aim is simple: get your legal foundations right early so you can grow with confidence.
Key Takeaways
- A good working answer to what UK GDPR means by a data controller is: the business that decides why and how personal data is processed.
- If you collect customer, employee, or supplier personal data for your own business purposes, you’ll usually be acting as a data controller.
- What a data controller does includes choosing a lawful basis, being transparent via privacy notices, protecting data with appropriate security, and responding to individuals’ rights requests.
- Controller vs processor status matters because it affects contracts, compliance steps, and liability - especially when third-party suppliers handle personal data on your behalf.
- A compliant privacy policy and a proper data processing agreement are common “must-haves” for small businesses using online tools, cloud systems, and outsourced providers.
- Having a breach response plan and clear internal rules (like an acceptable use policy) can reduce risk and make compliance far more manageable day-to-day.
If you’d like help confirming whether you’re a data controller, setting up the right GDPR documents, or reviewing your current approach, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
