GDPR Data Processor vs Data Controller | DMA

Filter By

Show All

Connect to


GDPR Data Processor vs Data Controller


To ensure maximum protection for EU citizens, the new General Data Protection Regulation (GDPR) defines two roles into which every business handling personal data falls. Somewhat confusingly, these new functions have the same names as those originally implemented under the UK’s 1998 Data Protection Act.

It is important to realise that there are subtle differences between the roles since GDPR came into force however, so it pays to look at the issue with fresh eyes. The distinction between controller and processor has become increasingly blurred as companies share personal data with third parties for services like marketing and cloud data storage.

Regardless of the complexity, your business needs to know under which circumstances it classifies as a controller, processor, or both. Only then can you meet your specific data protection obligations.

NOTE: The GDPR applies to any business worldwide that controls or processes personal data belonging to EU citizens. It is vital that senior decision makers worldwide properly understand the GDPR data processor vs data controller distinction.

What is a GDPR Data Controller?

Ultimately the controller is responsible for defining how data is processed, whether they do that work themselves or outsource to a third-party processor.

At the most basic level, the GDPR data controller is the “custodian” of the data.

Still unsure? Discover more here

Hear more from the DMA