Data Controller

A data controller determines the purposes and means of processing personal data and bears primary accountability under UK GDPR. Most organisations that collect personal data about customers, employees, or service users are data controllers. Controllers must register with (pay a fee to) the Information Commissioner's Office (ICO) unless exempt, implement appropriate technical and organisational security measures, and ensure individuals can exercise their data rights. A data processor acts only on the controller's documented instructions and must be governed by a written Data Processing Agreement (DPA). Processors have direct obligations under UK GDPR since 2018 (unlike the old Data Protection Act regime). Joint controllers must determine their respective responsibilities by agreement. A common pitfall for small businesses is assuming they are 'just a processor' when they in fact make decisions about data use — misclassification can expose them to fines for failing to meet controller obligations.