Data Controller vs Processor: Working Out Your GDPR Role

If your business collects or uses customer data in the UK, you’ve probably heard terms like data controller and data processor thrown around. Maybe you’re setting up a new website, launching an app, or working with a supplier that handles your customers’ details - and suddenly, the paperwork and compliance questions start piling up.

It can feel confusing, but knowing whether you’re classified as a data controller, a data processor, or both is absolutely crucial under the UK GDPR and the Data Protection Act 2018. Why? Because your role affects your legal obligations, how you handle risk, and the practical steps you must take to keep your business compliant (and avoid penalties).

Not sure where you fit in? Don’t stress - in this guide, we break it all down in plain English. By the end, you’ll be able to spot the difference, make the right decisions and move forwards with confidence.

What Is The Difference Between a Data Controller and a Data Processor?

Let’s start with the basics: the legal definitions. UK GDPR uses these two roles to structure privacy law responsibilities. Here’s what you need to know, without the legal jargon.

What Is a Data Controller?

A data controller is the “decision maker” when it comes to personal data. More formally, a data controller determines both the purposes (the “why”) and the means (the “how”) of processing personal data. They decide:

• Why the data is being collected or used
• What will be done with the data
• Which data items are collected
• Who may access or receive the data

Think of it this way: if your business collects customer names and email addresses to send marketing emails, and you decide what’s being collected and how you use it, you’re acting as the data controller.

Typical examples of data controllers include:

• Online shops collecting user details at checkout for order processing and marketing
• Employers holding employee data for HR purposes
• Health clinics recording patient information to provide healthcare services

What Is a Data Processor?

A data processor, on the other hand, only handles or processes personal data on behalf of a data controller. The processor must follow the controller’s documented instructions and does not decide the purpose or overall means of the processing.

• They carry out tasks like storage, organisation, or analysis of data
• They do not independently choose why or how the data is processed
• If they start making those decisions, they could be considered a controller too (which comes with more responsibilities)

For example, if an online shop hires a cloud hosting provider to store its customer database, that provider is acting as a data processor - they only hold and manage data as instructed.

Why Does This Distinction Matter Under UK GDPR?

Getting this right is more than semantics - your classification changes your day-to-day duties and your legal risk. Here’s why it matters:

• Controllers have the lion’s share of responsibilities, like issuing privacy notices, dealing with data subject rights, and reporting data breaches.
• Processors have more limited, but still significant, obligations - they must process data securely and only as directed.
• If you misclassify your role and skip the right compliance steps, you could face fines of up to 4% of global turnover, enforcement action, or reputational damage.
• It’s also common for businesses to be both a controller and a processor (for different activities), so don’t assume you’re always just one or the other!

If you’re unsure about your business’s privacy responsibilities, make sure you’ve read up on GDPR compliance basics and reach out for tailored advice if in doubt.

How Do You Work Out If You’re a Data Controller or a Data Processor?

Most businesses - especially small businesses and startups - aren’t sure which side they’re on, especially if they work with suppliers, partners, or platforms. Here’s a simple way to figure it out.

1. Ask: Who Decides “Why” and “How” Data Is Used?

The key questions are:

• Who decides what personal data to collect?
  If it’s you (your business), and you decide how it’s used, you’re the controller.
• Who decides how it will be processed – e.g., stored, analysed, transferred?
  If you decide those things (and why they’re being done), you’re likely the controller.
• If you only carry out instructions someone else gives you - for example, processing a list you’re sent without deciding on its content or use - you’re a processor.

2. Practical Scenarios: Examples in Action

• Scenario A: SaaS Provider As Data Processor
  A payroll software company processes staff pay data for various client businesses. The clients decide what data they upload and how it’s used. The payroll company just hosts the application and processes the payroll as instructed - so it’s a processor.
• Scenario B: Marketing Agency As Both
  An agency manages email campaigns for several businesses. When it uses customer lists and sends emails strictly as instructed, it’s acting as a processor. If, however, it decides to use that data for its own in-house analytics or to pitch services, it becomes a controller for those new purposes.
• Scenario C: Online Retailer As Data Controller
  A retailer collects shopper data on its website to personalise sales offers and deliver orders. The retailer decides what data to collect, why, and how to use it. Here, it’s clearly a controller.

If you often work with third-party providers, check out our guide on working with overseas contractors and data processors.

3. Can You Be Both a Controller and a Processor?

Yes. It’s perfectly possible (and common) for a business to be a data controller for some activities and a data processor for others, depending on the context.

• Example: Your agency holds its own employee payroll data (controller) and also processes payroll data on behalf of clients (processor).

Always assess each activity separately to work out which role applies in that context.

What Are the Legal Duties of Data Controllers vs Data Processors?

Now for the nitty gritty: what are you actually required to do depending on your role?

Key Obligations of Data Controllers

• Decide purpose and means: Set the “why” and “how” of data processing.
• Lawful basis: Ensure all personal data you use has a valid legal reason under GDPR (e.g. consent, contract).
• Inform individuals: Notify people (e.g. via a Privacy Policy) about how you use their data and their rights. Need help? Learn more about Privacy Policies and Notices.
• Enable data subject rights: Make it easy for people to access, correct, delete or move their data.
• Data breach reporting: Notify the ICO (and individuals if necessary) within 72 hours if you suffer a data breach.
• Due diligence on processors: If you hire a data processor, make sure there’s a compliant contract in place (for example, a Data Processing Agreement).

Key Obligations of Data Processors

• Follow instructions: Only act on the controller’s documented instructions and do not use the data for your own purposes.
• Security: Implement and maintain adequate technical and organisational security measures.
• Sub-processors: Get permission from the controller before hiring any sub-processors (other suppliers who process the data).
• Assist with data subject rights and breaches: Support controllers by helping fulfil access requests or notify of data breaches.
• Keep records: Maintain accurate records about the categories of processing you carry out.

For a deeper dive into what must go into your agreements and notices, check out our services for privacy policy compliance and data processing agreements.

What Happens If You Get It Wrong?

Getting your controller/processor role wrong can have serious consequences, including:

• Regulatory fines: The ICO can issue major penalties for non-compliance (up to 4% of global turnover or £17.5 million, whichever is higher).
• Enforcement notices and orders: The ICO may force your business to stop processing data until compliance is achieved.
• Liability for damages: Individuals affected by breaches or misuse can claim compensation.
• Reputational damage: Being named and shamed publicly, leading to lost customers and trust.
• Contractual fallout: If you’re a processor, controllers may sue for loss or breach of contract if you mishandle their data.

Bottom line: taking the time to get your role right from day one protects your business as it grows.

Step-by-Step: How Should UK Businesses Approach GDPR Role Assessment?

Here’s a simple self-assessment process to work it out:

1. Map your data flows: Identify all the personal data that you handle - where it comes from, who it’s about, who you share it with, and what’s done with it.
2. For each processing activity, ask who decides why and how:
   • If you’re making those calls, you’re the controller.
   • If you only follow another party’s specific instructions with no freedom to decide purpose or methods, you’re a processor.
3. Check for roles changing across activities: You might be a controller for some data, and a processor for others.
4. Put the right agreements in place: Use processor agreements to manage risks with your suppliers or partners. If you need bespoke contracts, avoid templates and get them drafted or reviewed by a professional-read more about the importance of having a lawyer review your contract.
5. Stay up to date: If you add new services, start new projects, or adopt new tech, repeat this assessment.
6. Get support when needed: Not sure? Speak to a legal expert who understands your sector and the nuance of your business. This is especially crucial if you handle sensitive, health, or financial data, or have cross-border operations.

Common Pitfalls And FAQs

• “We use the data system for our own analytics - are we still just a processor?”
  If you use data obtained via your role as a processor for any separate purpose (i.e., not just fulfilling the controller’s instructions), you’re a controller for that use.
• “Can a processor outsource tasks?”
  Yes, but only with the controller’s written authorisation - and the subcontractor must also follow GDPR rules.
• “How do we document these arrangements?”
  Ensure you have a Data Processing Agreement in place for processor relationships - this is a legal requirement under UK GDPR.
• “Does this affect small businesses and startups?”
  Absolutely. All UK businesses, regardless of size, must comply with UK GDPR if you handle personal data. Read more about GDPR compliance tips for small businesses.

Key Takeaways

• The distinction between data controller and data processor is central to complying with UK GDPR and the Data Protection Act 2018.
• Controllers decide why and how personal data is used, while processors follow instructions and cannot decide the purpose or means themselves.
• Your legal role determines your obligations - controllers have overall responsibility, processors have contractual and security duties.
• Misclassifying your status can mean non-compliance, regulatory fines, and reputational harm.
• If in doubt, map your data flows, assess for each activity, and put professional agreements in place.
• Getting legal help to audit your data handling and draft strong agreements ensures you’re protected as your business grows.

Need support figuring out your GDPR role or complying with data protection law?
Contact the Sprintlaw team on 08081347754 or email us at team@sprintlaw.co.uk for a free, no-obligation chat about your options.