The UK GDPR (the UK’s main data protection law) puts different obligations on companies depending on how they control or process personal data about their customers, prospects, staff or anyone else.
Controller
A controller is an individual or company who decides why and how personal data is processed. In a nutshell, controllers make decisions about personal data. So, in figuring out whether you or your startup is a controller, ask yourself if you decide:
- If personal data is needed in the first place and the legal basis?
- What personal data you will collect?
- How it will be collected?
- What the personal data will be used for?
- Who the personal data will be shared with or disclosed to?
- Which data subject rights will apply to the processing?
- How long will the personal data be kept for?
This is not an exhaustive list but, if you answered “yes” to one or more of those questions, it’s likely that you’re a controller.
Processor
A processor is someone who processes personal data on behalf of a controller. Common examples of the controller/processor relationship are:
- Client and Cloud services provider
- Client and marketing tool provider
- Client and HR payroll or benefits provider
- Client and data analytics provider
You might notice a common theme here. A processor must be a separate entity which usually provides a service to benefit the controller.
But what does it mean for my business? Find out at CUBE by Lewis Silkin - Am I a data controller or a processor?
Can I be both? Yes. Businesses are complex structures and are likely to carry out a range of data processing activities. For example, a company might be a controller with respect to the processing of its staff’s data and also a processor in relation to the services it provides to its clients.