Data Controller

Data controllers decide how personal data will be processed by their organization. GDPR Article 4 defines data controllers as:

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

According to Article 24, data controllers must:

  • Consider the “nature, scope, context and purposes of [data] processing”
  • Evaluate the likelihood and severity of potential risks
  • Ensure data processing is compliant with GDPR rules, putting in place the necessary technical and organizational frameworks to do so
  • Implement data protection measures when necessary
  • Be ready and able to demonstrate compliance

The GDPR places greater responsibility on data controllers, as their decisions determine whether an organization's data processing is compliant.

For more information, check out the Information Commissioner’s Guide on the difference between data controllers and data processors.