Skip to Content Skip to Navigation

Understanding the General Data Protection Regulation (GDPR) can take time, especially with the introduction of new terminology and concepts. With a business that may be subject to GDPR law, it helps to understand these news concepts to ensure your privacy practices meet the established criteria.

Today, we’re looking at what the regulation means when they say data controller — what function they perform in the handling of personal information and what their role is in the context of user privacy.

What is a data controller?

A data controller is a person or organisation who controls the purpose of and means by which personal data is processed.

So, if you (as an individual) collect and store personal data, you are a data controller. If your business collects and stores personal data, your business is a data controller. Data controllers are tasked with ensuring that personal information is being processed lawfully and in accordance with the GDPR’s data protection requirements.

The GDPR also mentions “joint controllers”, which is a collective term for two or more organisations making joint decisions over data processing. Joint controllers must create a formal agreement that outlines each party’s responsibilities for compliance.

Is a data controller different from a data protection officer?

The term “data controller” is used to broadly identify people and organisations who must comply with the GDPR, whereas a data protection officer (DPO) is the formal job title given to someone who has been specifically hired to carry out these obligations.

A DPO’s role is to oversee data privacy, demonstrate compliance, advocate for and assist data subjects in exercising their rights. There are three instances in which data controllers must appoint a DPO:

  • If the data controller engages in regular and systematic data processing activities on a large scale
  • If they process sensitive or crime-related data on a large scale
  • If they are a public authority, such as a government department or educational institution

Regardless of whether your business needs a DPO, implementing a privacy policy is advised — and a legal requirement in nearly every country. Your policy should disclose:

  • Which personal data you collect, how it’s collected and why
  • What you do with the data
  • Where the data is stored and how your customers or users can access it
  • Any third parties you share data with
  • What measures you have in place to keep data safe

The main thing to remember is that if you have control over someone else’s personal data, you must take the steps to protect it. Whether you’re a new startup or established business, it’s a good idea to review your privacy policy to make sure your business is meeting its obligations as a data controller.

Get a GDPR-ready privacy policy

Make data privacy a business priority. Our site can generate your privacy policy in minutes. Create your policy now.