What are the responsibilities of a data controller?

A hand releasing a stream of differently-coloured waves of light indicating a great number of data controller responsibilities

The General Data Protection Regulation (GDPR) - which came into effect in May 2018 - meant huge changes in data collection by businesses, including greater compliance with data protection and personal data privacy. 

In brief, the new regulations meant an evolution of rights, with stronger data protection rules and clearer data controller responsibilities, including greater control of data processing activities. Ultimately, GDPR set out how organizations should manage data, ensuring better data hygiene across EU member states. 

In July 2022, the UK government proposed a Data Protection and Digital Information Bill, which set out provisions for greater regulation of personal data, access to customer and business data, and provision around electronic and e-signatures, however, the Bill was withdrawn in March 2023.  

More recently in November 2023, the government completed the Data Protection and Digital Information (No. 2) Bill - which is due to have its report stage and final debate stage in the House of Commons on a date to be announced. This bill amends existing data protection laws, introduces changes to individuals' rights to access their personal data, and introduces new laws for processing data

These new approaches mean the main responsibilities of a data controller will reduce, as they're relieved of certain data transparency obligations. 

When GDPR was first introduced, it outlined two clear roles involved in the collection and processing of data. The most important are data controllers and Data Protection Officers (DPOs), who ultimately report into their organization’s CEO. 

As mentioned, data controller responsibilities defined under GDPR are set to change under the new Data Protection and Digital Information Bill, however here we share how they currently stand. 

 What are main data controller responsibilities?

The entity known as the data controller is the organization, or person, charged with deciding how the data held is processed. 

The controller's counterpart is the data processor, which is the organization or person responsible for processing data on behalf of the controller. Data processors cannot be employed by the data controller, so they tend to be third-party services. 

Data controller responsibilities include stating exactly what data is being processed, how the processing should occur, and the reasons why the data is being processed. Controllers need to establish these boundaries and give clear instructions to their data processors. 

Under GDPR, controllers are not only jointly liable (alongside processors) for breaches of data, but they also have the ongoing task of ensuring the processor remains compliant within the context of the law. 

Ensuring data is collected lawfully

Under GDPR, data controllers can adopt several different legal positions to justify data collection and processing, though these vary in robustness. 

Individual consent

One of the simplest and most well-known is individual consent, which will allow a business to collect and process a subject's data with the understanding that they have agreed to this. 

But consent can be withdrawn at any time, which makes this position not just weak but also risky for any long-term strategy, as at any time processing could be forced to stop. Moreover, giving the user enough information so that they can provide informed consent to begin with can prove difficult. 

Legitimate interest


Whitepaper cover with cartoon image of female wheel chair user talking to a man wearing a cap, with another man lifting a message bubble onto a phone screen

(Image credit: ServiceNow)

Read how security, risk, and technology asset management teams collaborate to easily manage vulnerabilities.


It's because of this that most legal experts will recommend a business rely on something other than consent. It's often the case that businesses will fall back on the 'Legitimate Interests' clause of the regulation, which allows the processing of data as part of a service that a customer might reasonably expect. 

For example, a business has a legitimate interest in collecting and processing information relating to a customer order through its online store, as this is integral to processing the order. That does not mean, however, that the business can then use the justification of legitimate interest to sell that data to a third-party company. 

However, a business can also justify the collection and processing of user data if said processing is necessary to fulfill the terms of a contract. Similarly, if such processing is necessary to protect an individual's "vital interests" or if the processing could be deemed within the public interest, a business would have legal justification. 

Businesses must inform individuals on what data they are collecting, and what it is being used for, regardless of how the collection and processing is justified. 

Allowing people to access, move, change, and delete their data

This means controllers must allow people to update their information, and move it to another service provider if they so choose. Citizens can request a copy of their data, which must be supplied free of charge and within one month of the request. 

Requests for data to be corrected must also be completed within a month, or two months if the request is deemed complex. 


A whitepaper from Nvidia on how to deliver secure, trustworthy, and scalable AI

(Image credit: Nvidia)

Learn more about a software platform that can deliver secure, trustworthy, and scalable AI solutions for improved data privacy.


GDPR allows people to request that their data be deleted if it's no longer relevant or if they no longer consent to it being processed (among other reasons). But controllers can continue to process it for other reasons, including if they're legally obliged to, or if it's health-related and in the public interest, or relates to advancing or defending legal claims. 

Personal data must also be stored in machine-readable formats, defined in the Open Data Handbook as ‘Data in a data format that can be automatically read and processed by a computer.’ Examples of machine-readable formats include CSV, XML, and JSON. 

Data controllers must ensure they comply with almost every aspect of the regulation, which you can read more about in our dedicated guide to GDPR. 

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.