In detail

What are your responsibilities as a controller?

If you are a controller, you are responsible for ensuring your processing – including any processing carried out by a processor on your behalf – complies with the GDPR. Your GDPR responsibilities include the following:

  • Compliance with the data protection principles: you must comply with the data protection principles listed in Article 5 of the GDPR. For more information please read our guidance on the principles.
  • Individuals’ rights: you must ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making. For more information please read our guidance on individuals’ rights.
  • Security: you must implement appropriate technical and organisational security measures to ensure the security of personal data. For more information please read our guidance on security.
  • Choosing an appropriate processor: you can only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements. This means you are responsible for assessing that your processor is competent to process the personal data in line with the GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects.
  • Processor contracts: you must enter into a binding contract or other legal act with your processors, which must contain a number of compulsory provisions as specified in Article 28(3). For more information please read our guidance on contracts.
  • Notification of personal data breaches: you are responsible for notifying personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. You are also responsible for notifying affected individuals (if the breach is likely to result in a high risk to their rights and freedoms). For more information please read our guidance on personal data breaches.
  • Accountability obligations: you must comply with the GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer. For more information please read our guidance on accountability and governance.
  • International transfers: you must comply with the GDPR’s restrictions on transfers of personal data outside the EU. For more information please read our guidance on international transfers.
  • Appointing a representative within the European Union: If you are based outside the EU but offer services to or monitor individuals inside the EU, you may need to appoint a representative in the EU.
  • Co-operation with supervisory authorities: you must cooperate with supervisory authorities (such as the ICO) and help them perform their duties.
  • Data protection fee: you must pay the ICO a data protection fee unless you are exempt. For more information please see our guidance on the data protection fee.

Can you be held liable for non-compliance?

Yes. You are ultimately accountable for your own compliance and the compliance of your processors.

Supervisory authorities in each member state (such as the ICO) regulate and enforce your compliance with the GDPR. They have powers to investigate, order you to comply, and to impose significant fines. For more details about how we exercise our powers, please see the taking action page on our website.

An individual can also bring claims directly against a controller if the processing breaches the GDPR, in particular if the processing causes the individual damage.

You will be liable for any damage (and any associated claim for compensation payable to an individual) if your processing activities infringe the GDPR.

However, you are not liable for damage resulting from a breach of the GDPR if you can prove you were not in any way responsible for the event giving rise to the damage.

If you are not the only party involved in the processing (for example, a joint controller or processor is also involved), the individual making the claim for compensation can claim against any of you. If you have to pay full compensation for damage suffered by individuals, you may be able to claim back all or part of the amount of compensation from other controllers or processors involved in the processing, to the extent that they are at fault.