IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What are the responsibilities of a data controller?

If your organisation collects people's data, you need to know how GDPR applies to your practices

A hand releasing a stream of differently-coloured waves of light

When the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the data protection and privacy landscape shifted dramatically.

Provisions were toughened, data protection regulators were granted fresh powers, and data controllers and processors were given clearer responsibilities. Generally speaking, GDPR was introduced to improve the data collection and processing hygiene across member states.

The UK government has set out proposals for its own Data Reform Bill, which is set to change requirements surrounding data collection, although this is on hold and will likely only be picked up again by a new administration later in the year. For now, existing rules apply.

Most, if not all, businesses collect data in some form, whether that's HR data on their workers or personal information from customers. Handling this data properly is fundamental to the modern business world, and GDPR sets out a number of provisions and requirements for businesses that vary by what kind of data they collect.

When it comes to collecting and processing data, GDPR establishes two critical roles: the controller and the the processor. We will explore these two terms below, but it's important to establish early that, under GDPR, both parties will be found liable for a data breach. Gone are the days of offloading responsibility.

The role of the data controller has changed slightly from that defined under the previous data protection regime, with GDPR making sure it's impossible to avoid responsibility when fines issued.

What are a data controller's responsibilities?

The entity known as the data controller is the organisation, or person, charged with deciding how the data held is processed.

The controller's counterpart is the data processor, which is the organisation or person responsible for processing data on behalf of the controller. Data processors cannot be employed by the data controller, so they tend to be third-party services.

Data controller responsibilities include stating exactly what data is being processed, how the processing should occur, and the reasons why the data is being processed. It's important for controllers to establish these boundaries and give clear instructions to its data processor.

Under GDPR, controllers are not only jointly liable (alongside processors) for breaches of data, but they also have the ongoing task of ensuring the processor remains compliant within the context of the law.

Ensuring data is collected lawfully

Under GDPR, data controllers can adopt a number of different legal positions in order to justify data collection and processing, though these vary in robustness.

Individual consent

One of the simplest and most well known is individual consent, which will allow a business to collect and process a subject's data with the understanding that they have agreed to this.

But consent can be withdrawn at any time, which makes this position not just weak but also risky for any long-term strategy, as at any time processing could be forced to stop. Moreover, giving the user enough information so that they can provide informed consent to begin with can prove difficult.

Legitimate interest

Related Resource

IT Pro 20/20: What the EU's new AI rules mean for business

The 17th issue of IT Pro 20/20 considers the effect of new regulations on the IT industry

IT Pro 20/20 Issue 17 - What the EU's new AI rules mean for businessDOWNLOAD NOW

It's because of this that most legal experts will recommend a business rely on something other than consent. It's often the case that businesses will fall back on the 'Legitimate Interests' clause of the regulation, which allows the processing of data as part of a service that a customer might reasonably expect.

For example, a business has a legitimate interest to collect and process information relating to a customer order through their online store, as this is integral to processing the order. That does not mean, however, that the business can then use the justification of legitimate interest to then sell that data to a third-party company.

However, a business can also justify the collection and processing of user data if said processing is necessary in order to fulfil the terms of a contract. Similarly, if such processing is necessary in order to protect an individual's "vital interests" or if the processing could be deemed within the public interest, a business would have legal justification.

Businesses must inform individuals on what data they are collecting, and what it is being used for, regardless of how the collection and processing is justified.

Allowing people to access, move, change, and delete their data

This means controllers must allow people to update their information, and move it to another service provider if they so choose. Citizens can request a copy of their data, which must be supplied free of charge and within one month of the request.

Requests for data to be corrected must also be completed within a month, or two months if the request is deemed complex.

Related Resource

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Whitepaper cover with title, text, dark header banner, and logoFree Download

GDPR allows people to request that their data is deleted if it's no longer relevant or if they no longer consent to it being processed (among other reasons). But controllers can continue to process it for other reasons, including if they're legally obliged to, or it's health-related and in the public interest, or relates to advancing or defending legal claims.

Personal data must also be stored in machine-readable formats, defined in the Open Data Handbook as ‘Data in a data format that can be automatically read and processed by a computer.’ Examples of machine-readable formats include CSV, XML and JSON.

Data controllers must ensure they comply with almost every aspect of the regulation, which you can read more about in our dedicated guide to GDPR.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022