GDPRs Data Protection

Who is liable under current law?

The Data Protection Act 1998 (DPA), which currently regulates data protection law in England, distinguishes between two types of ‘users’ of personal data (see what is the difference below):-

  • Data controller; and
  • Data processor.

The position under the DPA is that all of the liability for data protection sits with data controllers, who manage that liability through the contract with the data processor.
In other words, data processors are only liable for data protection breaches insofar as they agree to it under their contract with a data controller.

New legal position under the GDPRs

The distinction between data controller and data processor will remain.

However, data processors will now have obligations under the General Data Protection Regulations (GDPRs) which if not complied with can result in a fine.

This means that like data controllers, data processors can potentially be liable under the GDPRs in addition to any liabilities they have agreed to in their contracts.

Under the GDPRs data controllers and data processors have different obligations and so it’s important to understand when you are a data controller or data processor (most businesses will be data controllers at least in terms of employee personal data), but depending on the business may also be data processor (maybe under customer contracts).

So what is the difference between data controllers and data processors?

Confusingly, both data controllers and data processors ‘process’ personal data.

Put simply ‘process’ is doing pretty much anything with personal data, including:-

  • Collection
  • Recording
  • Organisation
  • Structuring
  • Storage
  • Retrieval
  • Use
  • Erasure

The distinction however is about whether you are deciding how to process the personal data, what for and who is using it etc (meaning you are more likely to be a data controller) OR whether you are processing the personal data on behalf of another (in which case you are more likely to be a data processor).

The ICO states that you should determine which company (e.g. your company or its customer/supplier) decides:-

  • to collect the personal data in the first place and the legal basis for doing so
  • which items of personal data to collect, i.e. the content of the data
  • the purpose or purposes the data are to be used for
  • which individuals to collect data about
  • whether to disclose the data, and if so, who to
  • whether subject access and other individuals’ rights apply i.e. the application of exemptions
  • how long to retain the data or whether to make non-routine amendments to the data.

If this is your company, then it is likely to be the data controller. But as above if you only handle personal data based on the instructions of another company, then you are probably data processor.


  1. You use a marketing company to attend an event on your behalf and collect details of individuals that are interested in receiving marketing emails from you about your products. You are likely to be the data controller as you decide which data the company is to collect for you and how you will use it etc and they are simply acting under your instructions and so they are likely to be a data processor.
  2. You design a website (which collects personal data) and then host it for a client which is then held on your server. In this instance the client will have decided what personal data they need to collect, why they need it and how it will be handled. So your client will likely be the data controller and you are likely to be the data processor.

(*Note: these are just examples of what is likely to be the position but the ICO would decide based on all the facts and exactly what is happening with the data in each case).

Not to try to confuse you all the more, but remember a company could be acting as both controller and processor in relation to the same data but different processing activities!

The ICO website ( is a good resource to use if you have any data protection questions.


Back to Lawpoint Website