Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Get an overview of your obligations with the data checklist for developers.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Developers - How to comply with the UK GDPR as a developer- Step 3: Determine if you are a data controller or processor

Controllers and processors are both responsible for complying with the UK GDPR. However, your obligations will vary in respect of each of the processing activities you carry out depending on whether you determine you are a controller or a processor for each processing purpose.

You must be able to demonstrate compliance with the data protection principles and take appropriate technical and organisational measures to make sure your processing is carried out in line with the UK GDPR.

You will be classed as a data controller for a processing activity if you:

  • make decisions about what personal data is to be processed,
  • make decisions about how and why personal data is processed

If another party makes those decisions, they in turn will be a controller, and you will be their processor when you process personal data on their behalf. Data processors must select appropriate methods that meet the data controller’s standards for data processing, as well as the standards defining what data is to be collected, why, and by which lawful basis under UK GDPR, the Data Protection Act, and Common law duty of confidentiality.

It is possible to be both a controller for one processing purpose, and a processor for a different purpose, within a single project. It depends on the facts, which you will need to assess. You may also determine that you and another organisation also both act as controllers of a processing activity (as joint controllers); for example, when you are processing personal data for a shared purpose. See examples in ICO’s guidance on controllers and processors.

Decision tool:

Use the ICO's controllers and processors checklists to help determine whether you are a data controller or a data processor. The descriptions of the obligations are listed under each role. The HRA has also published guidance on the role of research sponsors as controllers.

Get an overview of your obligations with the data checklist for developers.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Get more support

To discover how the HRA can assist you and for contact details, visit our 'Get Support' page.

Is this article useful?

How can we improve this piece?

Error:Select how we can improve this piece
Cancel

Thank you for your feedback!

To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.

Print this guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.