What is a Data Controller in GDPR?

Published on : 19 Aug 2021

Data Controller In GDPR

The General Data Protection Regulation clearly outlines a distinction between controllers and processors for clear identification. The distinction exists because not all organizations dealing with personal data have the same degree of responsibility.

That said, GDPR defines a controller as “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Data Controllers are organizations that take all the decisions of the data processing activity. They exercise their control over the processing of personal data that is collected and are ultimately in charge and responsible for the legal processing activity.

A controller can be any business, organization or any legal entity, or even an individual as outlined in the GDPR Regulation. However, it is important to note that individuals processing personal data for personal activity cannot be considered as a controller and are subject to the GDPR Regulation. It is also important to note and understand that some controllers under the legal obligation (Section 6(2) of the Data Protection Act 2018) who are required to process personal data are also considered controllers and need to comply with GDPR.

Organizations who are considered controllers, as defined by GDPR, are required to comply with the GDPR Regulation and must demonstrate compliance with the data protection law and principles. They are required to take appropriate measures to ensure that the processing is well in line with the GDPR Regulation.

For organizations that need guidance in understanding the regulation as a Data Controller or Data Processor and looking to achieve compliance, VISTA InfoSec can provide you the right direction. Our compliance experts can work with your team and guide your organization in the implementation of measures to ensure compliance. For more details about our GDPR Services or about the GDPR Regulation you can drop us a mail with your query at info[a]vistainfosec.com  

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.