All-in-one Risk Management Platform

What is a Data Controller?

Data controllers are a key part of GDPR compliance. In this guide, we'll walk through everything you need to know about this crucial GDPR role.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

What is a Data Controller?

Many businesses and organizations nowadays have to ensure that they are GDPR compliant. If you're working on GDPR compliance, you've probably come across the phrases "data controller" and "data processor" at some time. These are the two key and defined roles within GDPR compliance which are extremely important to understand and then properly fulfill within your organization. 

In this guide, we’ll explore what data controllers are and what their key roles involve. Let’s start by breaking down the GDPR to give better context into how data controllers work.

What is the GDPR?

The General Data Protection Regulation, or GDPR, is the biggest and most comprehensive data privacy regulation, raising the bar for data privacy protection everywhere.

Personal data, which is at the center of the GDPR, is defined as any information about a natural person (also known as the data subject) that may be used to directly or indirectly identify that person under the GDPR. It might be a name, a photo, an email address, bank account information, medical information, or even a computer's IP address.

As a result of such a wide definition, businesses must take documented procedures to limit access to all personal data to only authorized and credentialed workers with job positions that need it. Under the GDPR, security breaches caused by a failure to implement security standards will result in significant fines and punitive penalties.

In addition, the GDPR grants certain rights to data subjects. To comply with the GDPR, all organizations collecting personal data on EU people must recognize and apply these legislated rights.

What is a Data Controller?

Under the GDPR there are two main positions that have responsibilities and are titled under the law, the Data Controller and Data Processor

When it comes to preserving the privacy and rights of the data's subject, such as a website user, the data controller has the most responsibility under GDPR. The data controller is in charge of data usage methods and purposes. In other words, the data controller will be the one to choose how and why data will be utilized by the company.

A data controller can use its own methods to process gathered data. However, in certain cases, a data controller will need to collaborate with a third party or an external service in order to work with the information obtained. Personal data is processed for the purposes and in the manner determined by the data controller. Your corporation or organization is the data controller if it decides "why" and "how" personal data should be handled. Employees that handle personal data for your company do so to help you fulfill your responsibilities as the data controller.

Even in this case, the data controller will refuse to hand up control of the data to the third-party provider. By stating how the data will be used and processed by that external service, the data controller will maintain control.

If you select how to gather personal information from your customers, site visitors, and other targets, you are the data controller for your company or organization. Data controllers must be able to do these things legally. Data controllers also select what data to gather, how to edit or modify it, and where and how to utilize it for what reason. Data controllers can also decide whether they want to retain the data in-house or share it with other parties, as well as who they want to share it with. Some data controllers may be in charge of deciding how long to keep data and when to delete it.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Data Controller Duties

Data controllers have many responsibilities. Businesses must have at least one valid cause for collecting personal data under the GDPR. The data controller for the company must be able to establish that legitimate reason. The following are the six legal bases for collecting personal data:

  1. Individual consent was granted to the firm.
  2. A contract between an organization and an individual that needs personal information.
  3. Observance of a legal requirement.
  4. The safeguarding of a person's vital interests.
  5. Personal data processing is required for public responsibilities.
  6. Protection of a company's legitimate interests, usually for legal reasons.

Data controllers must also keep meticulous records of the information they gather, where it is sent, and how it is used. They have to keep those records in writing. They must document explicitly who and for what reason they are selling data to other parties. Individuals (or data subjects, as the GDPR defines them) must also have access to such information.

Data controllers must also make their contact information available to data subjects so that they may contact them with queries about their personal information and how it is handled.

The GDPR mandates the appointment of a Data Protection Officer by businesses (a.k.a. DPO). A data controller could be in charge of this. If an organization handles substantial volumes of sensitive data (such as a big medical facility or financial institution) or frequently gathers copious amounts of data, including frequent monitoring or surveillance, it must designate a DPO.

As you can see, the Data Controller is a vital role in GDPR compliance for any and all organizations who are seeking and maintaining compliance. Since this person oversees the methods of processing and handling of personal data for the entire organization, it is important to choose someone who is attentive to detail and trustworthy in addition to knowledgeable about data security. 

Understanding this role and staying up to date with all of the included tasks is essential to an organization’s proactive compliance and data security efforts.

Like what you see?  Learn more below

Data controllers are a key part of GDPR compliance. In this guide, we'll walk through everything you need to know about this crucial GDPR role.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)