Who Is Responsible for Personal Data? A Legal Perspective on Controllers and Processors

19 May 2026

Understanding who is responsible for personal data is one of the most important, and frequently misunderstood, aspects of data protection law.

Under the UK GDPR and the Data Protection Act 2018, organisations handling personal data generally fall into one of two categories: data controllers or data processors. The distinction is significant because different legal obligations apply depending on the role an organisation performs.

Incorrectly identifying these roles can lead to regulatory risk, contractual disputes, and uncertainty in the event of a data breach.

What Is a Data Controller?

A data controller is the organisation that determines the purposes and means of processing personal data.

In simple terms, the controller decides:

· why personal data is being processed; and

· how that processing will take place.

Controllers typically collect personal data directly from customers, employees, suppliers, or users in order to achieve a specific business purpose.

Examples of controllers may include:

· employers managing employee records;

· retailers collecting customer information;

· healthcare providers handling patient data; and

· financial institutions processing client information.

Importantly, organisations cannot avoid controller obligations simply because another party carries out the technical processing on their behalf.

What Is a Data Processor?

A data processor processes personal data on behalf of a controller and acts only on the controller’s instructions.

Processors do not determine the purpose for which the data is used. Instead, they provide services involving the handling of personal data.

Common examples of processors include:

· payroll providers;

· cloud storage providers;

· outsourced IT support services; and

· marketing platforms.

While processors have fewer direct obligations than controllers, the UK GDPR imposes a number of important compliance duties on processors in their own right.

Why the Distinction Matters

The distinction between controller and processor is not merely technical. It determines:

· who bears primary compliance responsibility;

· who must provide privacy information to individuals;

· who responds to data subject rights requests;

· who reports personal data breaches;

· who selects appropriate legal bases for processing; and

· how liability may be allocated between parties.

In practice, misunderstandings regarding these roles often arise where organisations assume that outsourcing a function also transfers legal responsibility. In most cases, this is incorrect.

A controller generally remains accountable for ensuring personal data is processed lawfully, securely, and transparently, even where third-party providers are involved.

The Importance of Data Processing Agreements

Where a controller engages a processor, the UK GDPR requires certain mandatory contractual terms to be included in a written data processing agreement.

These agreements should clearly address:

· the subject matter and duration of processing;

· the nature and purpose of processing activities;

· the categories of personal data involved;

· security obligations;

· confidentiality requirements;

· audit and inspection rights;

· sub-processing arrangements; and

· breach notification obligations.

Poorly drafted or generic contracts can create significant uncertainty, particularly following a cyber incident or regulatory investigation.

Enforcement and Liability Risks

Both controllers and processors may face regulatory action for non-compliance.

Potential consequences include:

· regulatory investigations;

· enforcement notices;

· financial penalties;

· compensation claims from affected individuals; and

· reputational damage.

Businesses that fail to properly identify their data protection roles or implement appropriate contractual safeguards may expose themselves to unnecessary legal and commercial risk.

Berry Smith’s Bottom Line

Navigating data protection obligations can be complex, particularly where organisations operate across multiple jurisdictions, rely on third-party suppliers, or process large volumes of personal data.

Businesses should ensure they clearly identify their role in relation to each processing activity, implement appropriate contractual arrangements, and maintain effective oversight of third-party providers.

Berry Smith advises businesses on a wide range of data protection and privacy matters, including:

· data protection compliance;

· drafting and negotiating data processing agreements;

· privacy policies and governance frameworks.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.