UK GDPR Data Controller Role: Responsibilities For Businesses

If your business collects, uses, stores, shares, analyses or deletes personal data (for example, customer details, employee records, website analytics, or CCTV footage), you’ll almost certainly need to understand the role of a data controller under UK GDPR.

This matters because “data controller” isn’t just a label - it’s the role that carries the biggest share of legal responsibility for how personal data is handled. Even if you outsource parts of your operations (like payroll, marketing, or cloud storage), you can still remain the controller and stay on the hook for compliance.

Below, we’ll break down what a data controller is, what controllers must do under UK GDPR and the Data Protection Act 2018, and the practical steps small businesses can take to stay compliant without getting overwhelmed.

What Is A Data Controller Under UK GDPR (And Why Does It Matter)?

Under UK GDPR, a data controller is the person or organisation that decides:

• why personal data is being processed (the purpose), and
• how that personal data will be processed (the key decisions about the means).

So, if you’re deciding “we’re collecting customer emails to send order updates and marketing” or “we’re using CCTV for site security” or “we’re collecting staff emergency contact details”, you’re likely acting as the controller.

When people ask about the role of a data controller, the simplest answer is:

The controller is responsible for making sure personal data is processed lawfully, fairly and securely - and for being able to demonstrate that compliance.

That “demonstrate it” part is important. UK GDPR is built on the accountability principle, which means it’s not enough to do the right thing - you should be able to evidence compliance with policies, records, contracts, and training.

Common Examples Of Data Controllers In Small Businesses

Many small businesses act as controllers in everyday operations, including:

• Online retailers processing customer contact and delivery details
• Professional service firms storing client emails, invoices and case notes
• Hospitality venues taking reservations and managing loyalty lists
• Employers processing payroll, performance records and sickness information
• Content creators and marketing businesses running mailing lists and audience analytics

If any of that sounds familiar, understanding your responsibilities as a data controller is a key part of getting your legal foundations right from day one.

Data Controller Vs Data Processor: Who Does What?

A lot of GDPR confusion comes from mixing up controllers and processors.

A data processor is a person or organisation that processes personal data on behalf of the controller, following the controller’s instructions.

In practice:

• You (the business) are often the controller.
• Your service providers (payroll company, email marketing platform, cloud storage provider, IT support provider) are often processors.

Why This Distinction Matters

If you’re the controller, you’re responsible for the big-ticket compliance items - including choosing compliant processors and putting the right contracts in place. This is one of the most important parts of a controller’s role, because you can’t just “outsource GDPR”.

In many cases, you’ll want a proper Data Processing Agreement with your processors, setting out what they can and can’t do with personal data and the security standards they must meet.

What About Joint Controllers?

Sometimes, two organisations both have meaningful decision-making power over the purposes and key means of processing - for example, in a co-branded marketing campaign or a shared platform arrangement. In that case, you may be joint controllers and need a clear written arrangement allocating responsibilities (in particular, providing privacy information and handling data subject requests).

Even with a written arrangement, joint controllers can still each face regulatory scrutiny (and potential claims) depending on what went wrong. This is an area where getting tailored legal advice is sensible, because joint controller relationships can create unexpected liability if roles aren’t properly understood and documented.

What Is The Role Of The Data Controller Day-To-Day? Key Responsibilities

The controller’s role touches almost everything to do with personal data. Here are the most common responsibilities UK small businesses should expect to manage.

1. Choose A Lawful Basis For Processing

As a controller, you must have a valid lawful basis for each type of processing you do. Common lawful bases include:

• Contract (e.g. processing delivery details to deliver an order)
• Legal obligation (e.g. keeping payroll and tax records)
• Legitimate interests (e.g. basic fraud prevention or network security, where balanced properly)
• Consent (e.g. marketing emails in situations where you need opt-in)

You’ll also need extra care if you’re processing special category data (like health information) or criminal offence data, because extra conditions apply.

2. Be Transparent: Privacy Notices And Fair Processing

Another core part of the controller’s role is transparency. People should understand what you’re doing with their data, why, and what rights they have.

For most businesses, this means having a clear Privacy Policy that explains (in plain English):

• what personal data you collect
• how and why you use it
• who you share it with
• how long you keep it
• how people can exercise their rights

Transparency also applies in workplaces. If you monitor staff devices or use CCTV, you should be upfront and have proper policies in place (more on this below).

3. Keep Records And Demonstrate Compliance (Accountability)

UK GDPR requires controllers to be accountable. Depending on your business size and risk profile, you may need to keep (or it’s at least best practice to keep):

• data maps (what data you have, where it comes from, where it goes)
• records of processing activities (ROPA)
• decision records for lawful bases and retention
• training logs (especially if staff handle customer data)
• breach logs (even if breaches aren’t reportable)

For many small businesses, this sounds heavy - but it’s manageable if you treat it like an operational checklist rather than a one-off project.

4. Build Privacy Into Your Systems (Data Protection By Design And Default)

Controllers are expected to take privacy seriously when setting up processes and systems - not as an afterthought after a problem happens.

This includes:

• collecting only what you need (data minimisation)
• setting sensible default privacy settings
• restricting internal access on a “need-to-know” basis
• using secure tools and implementing strong password/2FA practices

Many businesses formalise this through internal policies such as an Acceptable Use Policy, which sets rules for how staff use devices, systems, and data.

5. Manage Processor Relationships Properly

As the controller, you must only use processors that provide “sufficient guarantees” of security and compliance.

In practical terms, that usually means:

• doing basic due diligence (security standards, location of data, sub-processors)
• ensuring there’s a written contract that includes UK GDPR-required clauses
• checking how they handle breaches and data subject requests

This is where a tailored Data Processing Agreement is often essential, particularly if the processor will handle sensitive or high volumes of personal data.

6. Keep Personal Data Secure

Security is a central part of the controller’s responsibilities. UK GDPR expects “appropriate technical and organisational measures”. What’s “appropriate” depends on your size, the type of data, and the risk.

For many small businesses, good security measures include:

• device encryption and secure backups
• access controls (least privilege)
• staff training on phishing and scams
• secure disposal and deletion practices
• vendor risk management (especially for cloud tools)

If you’re using cameras, audio recording, or monitoring tools, security and access controls become even more important because the data can be highly sensitive. It’s worth understanding the rules around cameras in the workplace and whether recording conversations is lawful in your specific circumstances.

7. Handle Data Subject Rights Requests (Including SARs)

Another major controller responsibility is responding to “data subject rights” requests. These can include requests to:

• access their data (a Subject Access Request)
• correct inaccurate data
• delete data (in some cases)
• restrict processing
• object to processing
• receive data in a portable format (in some cases)

Subject Access Requests (SARs) are the ones that most often catch small businesses off-guard - especially if the request comes in during a dispute or employment issue. Your process needs to be organised and timely, and you need to understand what you can and can’t withhold. If you deal with SARs in a workplace setting, it helps to know the practical boundaries around what employers can withhold.

8. Deal With Data Breaches Properly (Including Reporting Where Required)

A “personal data breach” can include accidental disclosure (sending an email to the wrong person), loss of a laptop, hacking, or unauthorised staff access.

As controller, you should:

• contain and assess the breach quickly
• document what happened and what you did
• notify the ICO within 72 hours where required
• notify affected individuals where the risk is high

Many businesses prepare for this with a formal Data Breach Response Plan, so you’re not making decisions in a panic.

Practical Scenarios: When Your Business Is The Data Controller

Sometimes the easiest way to understand what a data controller does is to look at real business situations.

Scenario 1: You Run An Online Store

You collect customer names, addresses, email addresses and payment information to fulfil orders. You decide what’s collected and why - so you’re the controller.

You might use third-party providers (payment gateway, courier platform, email marketing tool). They may be processors, but you still need to make sure:

• your privacy information is clear
• you have appropriate contracts with processors
• your security controls are sensible

Scenario 2: You Employ Staff

You’re processing employee personal data for payroll, HR administration, and workplace management. That makes you a controller.

From a controller perspective, key risks often include:

• over-collecting data you don’t need
• inadequate access controls (too many people can see sensitive HR info)
• monitoring and surveillance without proper transparency

If you use CCTV or monitoring tools, it’s important to have a clear purpose, minimise intrusion, and document your reasoning. This can become even more sensitive if you’re considering audio features, because the legal and practical risk is often higher - see our guide on CCTV with audio.

Scenario 3: You Share A Mailing List With A Partner

If you and another business jointly decide how the mailing list will be used, you might be joint controllers. If the other business simply sends emails on your instructions, they might be a processor.

This is one of those areas where small businesses can accidentally get it wrong, so it’s worth documenting roles early and putting appropriate agreements in place.

How Do You Stay Compliant As A Data Controller Without Overcomplicating It?

UK GDPR compliance can feel intimidating, particularly if you’re busy running your business day-to-day. The good news is that most small business compliance comes down to getting a few core things right and keeping them up to date.

A Simple Controller Compliance Checklist

Here’s a practical starting point:

• List what personal data you collect (customers, leads, staff, suppliers) and why.
• Choose and document lawful bases for each category of processing.
• Put transparency in place via a Privacy Policy and any employee-facing notices.
• Check your contracts with processors and make sure you have the right GDPR clauses.
• Set retention rules so you don’t keep personal data “just in case”.
• Lock down security (access controls, training, device security, backups).
• Have a clear SAR process so you can respond quickly and consistently.
• Prepare for breaches with an internal response plan and escalation steps.

When Should You Consider A DPIA?

A Data Protection Impact Assessment (DPIA) is required where your processing is likely to result in a high risk to individuals’ rights and freedoms (and it’s good practice to consider one whenever you’re introducing a new use of data that could meaningfully affect people).

Common examples that may trigger a DPIA include systematic monitoring (particularly in workplaces or public areas), large-scale processing of special category data, using new technology in a way that could be intrusive, or profiling that has significant effects. Whether a DPIA is needed is context-specific - it depends on what you’re doing, at what scale, and the risks involved.

If you want a more structured, “done properly” approach, many businesses use a support package to bring policies, contracts, and documentation together in one place, such as a GDPR package.

Key Takeaways

• The role of a data controller is to decide why and how personal data is processed, and to take primary responsibility for UK GDPR compliance.
• Even if you outsource processing to third parties, you may still be the controller and remain legally responsible for transparency, lawful bases, security and accountability.
• Key controller responsibilities include choosing lawful bases, issuing clear privacy information, managing processor contracts, keeping data secure, and handling data subject rights requests like SARs.
• Controllers should be prepared to deal with personal data breaches, including documenting incidents and reporting to the ICO where required.
• Staying compliant doesn’t have to be overwhelming - a practical checklist, clear policies, and correctly drafted agreements can go a long way.
• If your business processes higher-risk data (for example, monitoring, sensitive data, or complex data-sharing), it’s worth getting tailored legal advice to avoid expensive mistakes later.

If you’d like help putting the right data protection documents and processes in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.