Who’s the Data Controller, Who’s the Data Processor and What’s the Role of the Data Protection Officer (DPO)?

What UK GDPR says:

• Data Protection Officer (DPO): Is the person in your organisation who is responsible for GDPR compliance, monitoring data protection activities, and acting as a point of contact with the ICO (Information Commissioner’s Office) and data subjects.
• Data Controller: Decides why and how personal data is collected and used.
• Data Processor: Acts only on instructions from the controller to process the data.

When is a DPO required?

Under UK GDPR (Article 37), you must appoint a DPO if:
✅ You are a public authority or body (except courts acting in a judicial capacity)
✅ Your core activities require regular and systematic monitoring of individuals on a large scale
✅ Your core activities involve processing special category data or data about criminal offences on a large scale

Even when not legally required, some organisations voluntarily appoint a DPO as good practice. Your DPO is also acts as your Subject Access Request (SAR) point of contact.

Data Controller and Data Processor

Under the UK GDPR, a data controller is the organisation that determines the purposes for which personal data is collected and how it will be processed. A data processor, on the other hand, acts on behalf of the controller, processing personal data only according to the controller’s instructions. In short, the controller decides what data is collected and why, and the processor carries out the processing as directed.

How does this work:

Example 1:

If you are a bookkeeping company using our secure web form to collect clients’ financial records, you are acting as the data controller, because you decide what data is collected and why. If you then use a payroll company to process that data on your behalf, the payroll company acts as your data processor.

Example 2:

If you are a service company and you use our secure web form to collect client details, you are the data controller, because you decide what data to collect and why. If you hire a marketing company to process that data (for example, to send emails or run a campaign on your behalf), the marketing company acts as your data processor, as they are processing the data only under your instructions.

Example 3:

If you are a law firm collecting client information through a secure webform for the purpose of providing legal advice, you are the data controller, because you decide what information is needed and how it will be used. If you use an external document management provider or case management software that processes that data on your behalf, that provider acts as your data processor, as they are handling the data solely according to your instructions.

Example 4:

If you are a building contractor and you collect customer details (such as names, addresses, and project requirements) through a secure webform, you are the data controller, because you decide what data is collected and for what purpose. If you store and manage that data using a third-party CRM provider, the CRM company acts as your data processor, as it processes the data only on your instructions to help you manage client relationships.