What does it mean if you are a controller?
In detail
What are your responsibilities as a controller?
If you are a controller, you are responsible for ensuring your processing – including any processing carried out by a processor on your behalf – complies with the UK GDPR. Your UK GDPR responsibilities include the following:
- Compliance with the data protection principles: you must comply with the data protection principles listed in Article 5 of the UK GDPR. For more information please read our guidance on the principles.
- Individuals’ rights: you must ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making. For more information please read our guidance on individuals’ rights.
- Security: you must implement appropriate technical and organisational security measures to ensure the security of personal data. For more information please read our guidance on security.
- Choosing an appropriate processor: you can only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements. This means you are responsible for assessing that your processor is competent to process the personal data in line with the UK GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects.
- Processor contracts: you must enter into a binding contract or other legal act with your processors, which must contain a number of compulsory provisions as specified in Article 28(3). For more information please read our guidance on contracts.
- Notification of personal data breaches: you are responsible for notifying personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. You are also responsible for notifying affected individuals (if the breach is likely to result in a high risk to their rights and freedoms). For more information please read our guidance on personal data breaches.
- Accountability obligations: you must comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer. For more information please read our guidance on accountability and governance.
- International transfers: you must comply with the UK GDPR’s restrictions on transfers of personal data outside of the UK. For more information please read our guidance on international transfers.
- Co-operation with supervisory authorities: you must cooperate with supervisory authorities (such as the ICO) and help them perform their duties.
- Data protection fee: you must pay the ICO a data protection fee unless you are exempt. For more information please see our guidance on the data protection fee.
Can you be held liable for non-compliance?
Yes. You are ultimately accountable for your own compliance and the compliance of your processors.
An individual can also bring claims directly against a controller if the processing breaches the UK GDPR, in particular if the processing causes the individual damage.
You will be liable for any damage (and any associated claim for compensation payable to an individual) if your processing activities infringe the UK GDPR.
However, you are not liable for damage resulting from a breach of the UK GDPR if you can prove you were not in any way responsible for the event giving rise to the damage.
If you are not the only party involved in the processing (for example, a joint controller or processor is also involved), the individual making the claim for compensation can claim against any of you. If you have to pay full compensation for damage suffered by individuals, you may be able to claim back all or part of the amount of compensation from other controllers or processors involved in the processing, to the extent that they are at fault.