GDPR: Glossary of Terms – Data Controller

GDPR Data Controller

From Article 4 of the EU GDPR documentation:

“[A Data Controller] means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

The Data Controller is your organisation.

The above definition may start with ‘natural or legal person’, but the truth is your organisation is a legal person. You may appoint one or more people inside your organisation to be your Data Controller, but they are still acting on behalf of your organisation.

The Data Controller has the ultimate responsibility to implement the rules of the GDPR.

“The GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc”

– EU

They (or you) are the source of the need for the data. Data Processors process data on behalf of Data Controllers, Data Protection Officers oversee compliance, but Data Controllers are the thing that everyone is looking at.

The Data Controller has ultimate responsibility for compliance to the GDPR, but their responsibilities can be broadly described as follows:

  1. The Data Controller determines what personal data is required to perform the various tasks that are needed.
  2. The Data Controller puts in place the means to lawfully collect and securely store the personal data required, using Data Processors where necessary.
  3. The Data Controller manages the relationship with all Data Processors, including using written contracts to formalise responsibilities.
  4. The Data Controller manages the long term security of the personal data, including its removal when it is no longer required.
  5. The Data Controller manages Data Subjects’ rights, such as the Right to Erasure and the Right to Rectification.
  6. The Data Controller will act on any data breach, including where necessary reporting it to the relevant authority (the ICO in the UK).

Basically the Data Controller is where you start with the GDPR. From here, everything else follows. There is a nice checklist on the ICO’s website that gives you an indication of what is required, as well as giving you an opportunity to assess where you are at the moment.


The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.

The author, Michael Horner, is a member of the CIPD and an enthusiastic student of the GDPR . Email him here, follow him on twitter or add a comment below.