GDPR – Data controller versus data processor

aat comment

Asking someone whether they’re a data controller or a data processor often leads to a blank look even though the Data Protection Act (DPA) has been around for 20 years.

There are currently some fundamental differences and the respective responsibilities will be changing under GDPR.

A data controller is defined by the act as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”. In short they decide the ‘why’ and the ‘how’ data is processed and, except in a very limited circumstance, requires them to be registered with the Information Commissioner’s Office (ICO) as a data controller.

A data processor is defined by the act as “any person (other than an employee of the data controller) who processes the data on behalf of the data controller”.

Picking out a few elements to expand on

  • “Jointly” means acting together to decide what the data is used for. An example would be a network of CCTV cameras operated by a local authority and the Police. Both have input into how they are run and what the images are used for.
  • “In common with” means sharing a common pool of data which each processes independently. An example would be a Government database of all children in the UK used by local authorities. Each local authority contributes data, is responsible for its own data and, in addition, has access to all the data in the database for its own needs.
  • “Other than an employee of the data controller” means agency and temporary staff, consultants, contractors and suppliers.

Only the data controller is held liable for compliance to the DPA, not the data processor.

Data controllers will usually seek to pass on their responsibilities to their data processors through a data processing agreement. The agreement will normally include that any processing must be governed by a written contract, carried out in accordance with the controller’s instructions, and be subject to appropriate security measures.

Regardless of the existence of any data processing agreement, data controllers remain legally responsible for any breaches caused by the actions of their data processors and have no direct enforcement powers against processors.

So how does this apply to AAT members (and accountants generally)?

You will already be a data controller for the data you collect about your client on engagement, for example, to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and a data processor in respect of their data that you handle.

Data protection is referred to in the AAT Code of Professional Ethics – Section 225 and may mean that the AAT member is acting as a data controller when handling client data. This is also explicitly referred to by the ICO in their data controller and data processor guidance:


  1. A firm uses an accountant to do its books. When acting for his client, the accountant is a data controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process. For example, if the accountant detects malpractice whilst doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so an accountant would not be acting on the client’s instructions but in accordance with its own professional obligations and therefore as a data controller in his own right.”

So what’s different from 25th May 2018 when GDPR applies?

For the first time, the GDPR places direct statutory obligations on data processors. These obligations mean that data processors may be subject to direct enforcement by the ICO, fines for non-compliance and compensation claims by data subjects for any damage caused by a breach of the GDPR.

It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms not later than 72 hours after having become aware of it. The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved. In addition, if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

So now you know the difference between data controllers and data processors, you’ll know that some of the time you’ll be a controller and some of the time a processor.

Look out for my next two articles which will cover the obligations of each in more detail.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles