Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business handles anyone’s personal information-whether it’s customer names, staff addresses, or client emails-there’s a good chance you’re counted as a data controller under UK data protection law. Understanding what this actually means (and whether it applies to you) is essential for hitting your legal targets and protecting people’s rights.
GDPR compliance is a legal must for businesses of every size in the UK. But if you’re feeling unsure about what a “data controller” is-let alone what your responsibilities are-don’t stress. You’re in the right place.
In this guide, we’ll break down what it means to be a data controller, how to tell if your organisation fits the definition, your core duties under the UK GDPR-and the risks if you get it wrong. We’ll also cover the all-important record-keeping essentials every controller needs to stay compliant and ready for scrutiny.
Let’s clear up the legal jargon and help you make sense of it all-keep reading to get the facts and get your legal house in order.
What Is a Data Controller?
Let’s start with the big question: what is a data controller?
In plain English, a data controller is the person, company or organisation that decides why and how personal data is processed. According to the UK GDPR and the Data Protection Act 2018, the controller is basically in charge of what happens to data-they decide the “means and purposes” of any processing activity.
To put it another way, if your business or organisation decides what personal data is collected, why it’s collected, how it’s used, how long it’s kept, and who it’s shared with-you’re the data controller.
Here’s a quick UK GDPR data controller definition:
- Data Controller: The natural or legal person (for most, that means a business, charity, sole trader or public authority) who alone or jointly determines the purposes and means of processing personal data.
You can read more formal explanations and scenarios in our primer What Is The Data Controller?.
Data Controllers vs Data Processors: What’s the Difference?
One of the most common points of confusion is knowing whether you’re actually a data controller, or if you’re a data processor-or possibly both. Here’s a straightforward breakdown:
- Data Controllers decide why and how data is processed. They set the rules and define the aim.
- Data Processors act on the controller’s instruction. They process data but don’t have the authority to choose why or how-they only do what the controller tells them.
For example:
- If you run an ecommerce website and you collect, store, and analyse your customers’ details to manage orders and send marketing emails, you are almost certainly the data controller.
- If you use an external payroll provider and they only process your staff’s pay data as you instruct, that payroll company is a data processor.
Sometimes, an organisation can be both a controller in one scenario and a processor in another, depending on their role in different data processing activities.
Want more situations and examples? Dive deeper into how roles are defined in contracting relationships.
How Do I Know If I’m a Data Controller?
If you’re scratching your head wondering “who is the data controller in our company?”, try asking these questions:
- Do you decide whose personal data is collected?
- Do you decide why that data is collected-what’s the purpose?
- Do you have the final say in what happens to the information?
- Do you control how the data is stored and for how long?
- Are you responsible for who the data is shared with (e.g., marketing partners, suppliers)?
If the answer to most of these is “yes”, your business or organisation is a data controller. In a nutshell, an organisation which makes decisions about personal data is a data controller.
Here are some common examples:
- Dealerships: In a car dealership, the dealership itself is typically the data controller for customer and staff data (not the car manufacturer or the finance company).
- Schools: Schools control the means and purpose for processing student and parent information.
- Startups: If you’re running a tech startup and you’re making the decisions about user data, you’re the controller.
For highly detailed contracts and practical separation of responsibilities between controllers and processors, see our guide on international contracts when handling data across borders.
Key Legal Duties of Data Controllers Under UK GDPR
So, once you know you’re a data controller, what are your responsibilities? The UK GDPR puts you front and centre-with the clearest duties and the heaviest penalties for getting it wrong. Here’s what every UK data controller must do:
1. Lawfulness, Fairness, and Transparency
- You must process all personal data lawfully, fairly and in a transparent manner. That means you need a valid legal basis for processing (like consent or necessity for a contract) and data subjects must be informed-in clear, simple language-about what you do with their data.
- Controllers are responsible for providing a Privacy Policy that sets this out-read more on website terms and privacy essentials here.
2. Accountability and Documentation
- Controllers must be able to show, at any time, that they comply with the GDPR. This means creating and maintaining up-to-date records of all your processing activities.
- If you have over 250 employees, or if you process data that could result in a risk to people’s rights, you are legally required to keep these records-smaller businesses are wise to do so too.
3. Upholding Individuals’ Rights
- You must support people’s rights around their personal data-including access, correction, erasure, objection, data portability, and the right to restrict processing. This means having policies and clear procedures to deal with these requests efficiently.
- Need help setting this up? Learn about data subject access request forms and essential processes.
4. Data Security
- Data controllers must ensure proper organisational and technical measures are in place to protect information. That includes secure storage, access controls, employee training, and regular audits.
- For tips on securing digital data and the legal issues around cyber security, see our guide to cyber security legal issues.
5. Notifying Breaches
- If you suffer a data breach that poses a risk to individuals, you must notify the relevant supervisory authority (the ICO in the UK) within 72 hours-and sometimes notify affected individuals too.
- Build your response plan with our advice on preparing a data breach response plan.
6. Contracts With Processors
- If any other company processes data on your behalf, you must have a contract with them that covers GDPR requirements and ensures they only act as you instruct.
- See more on choosing the right agreements for your business relationships.
Why Is Record-Keeping So Important For Data Controllers?
Record-keeping is not just a bureaucratic hoop to jump through-it’s the backbone of GDPR accountability. As a data controller, keeping paper trails is how you prove to the ICO, your clients, and your team that privacy is a priority and compliance is under control.
Here’s what a data controller’s records of processing activities typically cover:
- The types of personal data you process (names, emails, payment info, etc.)
- The purposes for which the data is processed
- Categories of data subjects (customers, employees, suppliers, etc.)
- Third parties or recipients you share the data with
- If the data is transferred outside the UK or EEA, details of how it’s protected
- How long you retain the data (data retention policies)
- A general description of your security measures
Creating and updating these records makes it easier to react quickly if there’s a problem or a regulation change. It also reduces the stress and risk of an investigation, as you can easily show what you do and why.
For businesses with sophisticated operations or cross-border activities, it’s wise to seek advice on international contracts and GDPR compliance.
What Happens If Data Controllers Don’t Comply?
Let’s get real-a breach of your duties as a data controller isn’t just an administrative headache. Failing to comply with the GDPR can lead to:
- Investigations by the Information Commissioner’s Office (ICO)
- Significant financial penalties (fines can reach up to £17.5 million, or 4% of annual global turnover-whichever is higher)
- Serious damage to your reputation and customer trust
- Potential lawsuits from affected individuals
- Operational disruption if you’re required to change your processes on short notice
The good news? By getting your house in order and meeting controller obligations from day one, you’ll avoid the lion’s share of legal risks and position your business for long-term growth. Don’t leave compliance to chance-every business is better off with a strong privacy-first approach.
For more advice on how a privacy breach can affect businesses in practice, take a look at customer data protection tips.
Practical Steps & GDPR Checklist For Data Controllers
Ready to get compliant? Here’s a practical, jargon-free checklist to help you fulfil your duties as a UK GDPR data controller:
- Map Your Data: Identify what personal data you hold, why you process it, and where it lives (both physically and digitally).
- Draft Privacy Notices: Create clear and accessible privacy policies for your customers, staff, and any other data subjects. Make sure they explain in plain English how you use people’s information.
- Systems For Individual Rights: Set up clear processes for responding to data subject requests (access, erasure, etc.) efficiently and within GDPR deadlines.
- Maintain Processing Records: Get your “records of processing activities” up to date and keep them accessible. They should cover the points listed above under record-keeping.
- Review Your Security Measures: Regularly check IT security and physical security. Update passwords, train team members, and use technical controls as needed.
- Contracts With Processors: Identify any third parties who process data for you, and ensure appropriate agreements are in place, addressing GDPR requirements directly.
- Plan For Breaches: Develop a clear data breach response plan-make sure everyone knows what to do, and update it as your business changes.
- Train Your Staff: Regularly train staff about data privacy and the importance of GDPR compliance. It reduces the risk of mistakes.
If sorting all this feels a bit overwhelming, that’s completely normal for small businesses and startups. Consider getting a GDPR package tailored for your industry-it takes the pressure off.
Key Takeaways
- A data controller determines why and how personal data is processed; this role comes with significant legal duties under the UK GDPR.
- If your business makes key decisions about collecting and using personal data, you are almost always acting as the controller-even if you use third-party processors.
- Data controllers are responsible for fair, lawful, and transparent data processing, maintaining records, supporting individual rights, and ensuring strong data security.
- Proper record-keeping is essential: staying organised and audit-ready is the best way to avoid fines and regulatory issues.
- Failing your duties as a controller can mean hefty fines, legal trouble, and reputational harm-so compliance isn’t optional.
- Use a checklist: Map your data, update your privacy notices, maintain records, review your IT security, and get contracts in place with any data processors.
- If you’re at all unsure, seek legal advice-tailored support can save you time, money, and stress in the long run.
If you want tailored help with getting your GDPR obligations right-as a data controller or a processor-get in touch with our expert team for a free, no-obligations chat. You can reach us at 08081347754 or team@sprintlaw.co.uk any time.
