Before you can start to work out what your data protection legal obligations are, you need to know what personal data you use and why.

Therefore, the starting point is to carry out a data mapping exercise. This involves documenting:

  • each source of data (e.g., individual or third party)
  • what data you use
  • why you use it – the same data may have many different uses!
  • where it is stored
  • if you pass it to any third parties

For each “why” you then need to work out whether you are a data controller, data processor or joint data controller – this will tell you what your obligations are as the rules are different for each. The ICO provides a checklist in helping you decide which can be found here. For each “why” you will only be one of these, but this may have a different standing for different “whys”.

Only at this stage can you understand what your legal obligations are and where your key risk areas are, meaning that you can then put in place a data protection programme which reflects your business.

For more information see our blawg ‘Data Controller and Data Processors’ here.


Sometimes it is straightforward to work out if you are a data controller, data processor or joint data controller. However, unfortunately it isn’t always clear cut!

The European Data Protection Board has recently updated its guidance on this point. Whilst the UK is no longer part of the EU, currently UK data protection is aligned with EU law (or it certainly was at 31 December 2020) and so it is likely that the ICO (the body responsible for data protection in the UK) will be reviewing the guidance with interest and potentially following its interpretation – although, of course, it won’t be obliged.

We can help you with any part of creating and implementing a bespoke data protection programme, contact Alison on 01202 729444 or e-mail