What Is a Data Controller Under UK GDPR?

If your business collects customer emails, takes bookings online, uses CCTV in-store, or pays staff, you’re handling “personal data”. Under UK law, that means you likely have legal responsibilities as a “data controller”.

Don’t stress – once you know what a data controller is (and what the role involves), the steps to stay compliant are straightforward. Getting this right protects your customers, builds trust and keeps you on the right side of the law.

In this guide, we explain what a data controller is under the UK GDPR and Data Protection Act 2018, how it compares to a processor, and the practical duties you need to manage as a small business.

What Is a Data Controller Under UK Law?

In simple terms, a data controller is the organisation that decides why and how personal data is used. If your business determines the purpose (the “why”) and the means (the “how”) of processing personal data, you’re the controller.

Key points to remember:

• “Personal data” includes any information that can identify a person – names, emails, addresses, phone numbers, payment details, employee records, IP addresses and more.
• “Processing” covers almost anything you do with personal data – collecting, storing, using, sharing, deleting.
• If you choose the purpose and method (even broadly), you’re a controller. If you follow someone else’s instructions about the data and don’t decide the purpose, you’re more likely a processor.

UK controller obligations primarily come from the UK General Data Protection Regulation (UK GDPR), supported by the Data Protection Act 2018. The Privacy and Electronic Communications Regulations (PECR) also set rules for electronic marketing and cookies.

If you’re thinking “this sounds like us”, you’re not alone – most UK SMEs are data controllers in relation to at least some of their activities, such as customer management and HR records.

Data Controller vs Data Processor (And Joint Controllers)

Understanding the difference is essential because the law puts different duties on each role.

What’s a Data Processor?

A data processor processes personal data on behalf of a controller. They act on the controller’s documented instructions.

Common examples:

• Your cloud CRM provider storing your customer database.
• An external payroll bureau running payroll using your staff details.
• A marketing platform sending emails to your subscriber list.

If you engage a processor, UK GDPR requires a written contract with specific clauses – this is usually called a Data Processing Agreement.

What Are Joint Controllers?

Sometimes two or more organisations jointly decide the purposes and means of processing. In that case, they can be joint controllers. Joint controllers must clearly allocate responsibilities – especially around transparency and handling people’s rights – and communicate the essence of that arrangement to individuals.

Why It Matters

Controllers are responsible for complying with UK GDPR principles, establishing a legal basis, being transparent, upholding individuals’ rights, and ensuring processors are compliant. Processors have their own duties (like keeping data secure and only acting on instructions), but the ultimate accountability typically sits with the controller.

Are You the Data Controller? Practical Scenarios for Small Businesses

Still unsure who the data controller is in your situation? Here are typical small-business scenarios:

• Online Retailer. You decide to collect customer details for orders and marketing. You choose your e-commerce platform and email provider. You’re the controller. The platform and email provider are processors (for most functions).
• Professional Services Firm. You keep client files, decide what information is needed, and how long to retain it. You’re the controller. Your document management provider is a processor.
• Hospitality Venue with CCTV. You install cameras to prevent theft and protect staff. You determine the purpose and retention period. You’re the controller. Your CCTV maintenance company may be a processor.
• Recruitment Agency Placing Candidates. You collect candidate data and decide how it’s used in your processes. You’re the controller for your candidate database. When you share data with a client hiring firm, roles can vary – sometimes each of you is a separate controller for your own purposes, or you may be joint controllers if you make decisions together.
• Franchise Business. The franchisor may be a controller for network-wide systems and brand marketing, while the franchisee is the controller for local operations and staff data. Sometimes the roles overlap – this needs careful mapping.

In practice, a single company can be a controller for some activities and a processor for others. Always ask: who decides why and how this personal data is processed?

What Does a Data Controller Do? Core Legal Duties

As a controller, you need to follow the UK GDPR data protection principles and be able to demonstrate compliance. Here’s what that means in everyday terms.

1) Identify a Lawful Basis for Each Purpose

Every use of personal data needs a lawful basis. Common lawful bases include consent, contract (processing is necessary to perform a contract with the person), legal obligation, legitimate interests, and others (like vital interests or public task).

Action: Map your processing activities and record the lawful basis for each (for example, fulfilling orders, managing bookings, paying staff, or marketing with consent/soft opt-in).

2) Be Transparent and Provide Clear Privacy Information

You must explain what data you collect, why, how long you keep it, who you share it with, your lawful basis, and how people can exercise their rights. This goes in your Privacy Policy and other notices where appropriate (e.g. at the point of data capture, in job ads, or on CCTV signage).

3) Respect Individuals’ Rights

People can request access to their data, ask for corrections, object to certain uses, request deletion (in some cases), and more. Controllers must respond within one month in most cases and keep records of requests.

Action: Set up a structured process for handling subject access requests, including how you verify identities, locate data, and meet SAR deadlines.

4) Keep Personal Data Secure

“Appropriate technical and organisational measures” are required. This can include encryption, access controls, staff training, multi-factor authentication, device and email security, and vendor due diligence.

Action: Document your measures, assess your tools (including whether your cloud storage settings are configured securely), and test your incident response regularly.

5) Manage Processors Properly

When you use service providers to process personal data, you must have a written contract with specific GDPR clauses and you’re responsible for ensuring they provide sufficient guarantees about security and compliance. This is where a robust Data Processing Agreement is essential.

6) Set Retention Periods and Delete Data You No Longer Need

Personal data should be kept only as long as necessary for the purposes you collected it. Have a retention schedule and make sure old data is archived or deleted in line with it.

7) Cookies and Electronic Marketing

PECR rules apply to cookies and many kinds of electronic marketing. Most non-essential cookies require consent, managed via compliant cookie banners and a cookie policy. Email and SMS marketing have specific rules (including consent or soft opt-in, plus clear opt-outs).

8) International Data Transfers

If personal data leaves the UK (for example, hosted on overseas servers), you’ll need to ensure appropriate safeguards (such as UK Addendum to SCCs or other approved mechanisms) unless an adequacy decision applies. Map where your vendors store and access data.

9) Accountability and Documentation

“Accountability” means you must be able to show your compliance – policies, training records, vendor checks, DPIAs where needed, records of processing activities, incident logs, and your responses to data rights requests.

10) Report Certain Data Breaches

If you suffer a personal data breach that risks individuals’ rights and freedoms, you may need to notify the ICO within 72 hours and, in some cases, inform the affected individuals. Having a tested data breach response plan is critical.

Essential Documents and Processes for Controllers

To be confident you’re covered, most controllers will need the following building blocks.

Privacy Notices and Policies

• Customer/Website Privacy Notice. Explains what you collect, how you use it, your lawful bases, retention, and rights.
• Employee/Applicant Privacy Notice. Separate notice for staff and candidates to cover HR processing.
• Cookie Policy and Consent Mechanism. If you use cookies beyond strictly necessary, implement compliant consent and clearly describe technologies used via your banner and policy.

Your public-facing statement is typically your Privacy Policy alongside cookie information where relevant.

Contracts With Service Providers (Processors)

Put GDPR-compliant terms in place with any supplier that processes personal data for you. A well-drafted Data Processing Agreement sets out security standards, sub-processor control, assistance with data rights, and audit rights. If you share data with other organisations as independent controllers, consider a Data Sharing Agreement to govern the handover.

Internal Governance

• Records of Processing Activities. A living register of what you process, purposes, lawful bases, recipients, retention, and security.
• Retention Schedule. Clear timeframes for deletion or anonymisation.
• Security Policies and Training. Acceptable use, access control, BYOD, incident response and regular staff training.
• DPIAs (Data Protection Impact Assessments). Required for high-risk processing (e.g., large-scale monitoring or special category data). Even when not strictly required, a DPIA-style assessment is good practice for new projects.

Responding to Data Rights Requests

Set up procedures to handle access, erasure, rectification, portability and objection requests. Decide who triages requests, how you verify the requester, how you locate the data, and how you meet the one-month time limit. Keep an eye on your SAR deadlines, especially during busy periods.

Fees, Registration and Paying the ICO Levy

Most UK controllers must pay an annual data protection fee to the ICO. Some small businesses qualify for an exemption. Double-check your position and, if you qualify, rely on an applicable ICO fee exemption. If you need to pay, do it promptly to avoid penalties.

Vendors and International Transfers

Audit your vendors: where do they store and access data, what certifications do they hold, and what protections do they offer? Make sure your contract and transfer tools cover overseas hosting and support arrangements. That includes checking the security of your cloud storage configuration and access controls.

Marketing, Cookies and Consent

For electronic direct marketing and website tracking, PECR and UK GDPR both matter. Use compliant cookie banners and keep a record of cookie and marketing consents (or soft opt-in eligibility where it applies). Always include a simple unsubscribe in marketing messages.

Key Takeaways

• The data controller is the organisation that decides why and how personal data is processed. Most UK SMEs are controllers for at least some activities (customers, staff, suppliers, CCTV).
• Controllers must identify a lawful basis, be transparent, uphold data subject rights, keep data secure, manage processors via a solid Data Processing Agreement, set retention periods and document compliance.
• Make your transparency clear and accessible with a user-friendly Privacy Policy, employee privacy notices and accurate cookie information with compliant cookie banners.
• Prepare for requests and incidents: establish a workflow for subject access (and track SAR deadlines) and test your data breach response plan.
• Check your ICO data protection fee position and apply any valid ICO fee exemption if eligible. Keep vendor contracts, international transfers and cloud storage security under review.
• Set your legal foundations early – it protects your business from day one, builds customer trust and makes compliance manageable as you grow.

If you’d like help mapping your controller responsibilities, drafting a Privacy Policy, or putting the right data protection contracts in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.