Skip to content

Digital Impact was created by the Digital Civil Society Lab at Stanford PACS and was managed until 2024. It is no longer being updated.

Data Processor or Data Controller: What Am I and Why Does It Matter?

Visit digitalimpact.io/subscribe to get updates on GDPR and other topics. This post does not constitute legal advice.

What is a data processor, what is a data controller, and what are their duties under the GDPR? To help professionals fully understand their obligations and promote good practice, the Information Commissioner’s Office (ICO) prepared a 20-page guidance on the differences and governance implications of the two vital roles.

“As information systems and business models become more complex, a number of organizations may be working together in an initiative that involves processing personal data… In data protection terms, these organizations must act as either data controllers or data processors.”

As the Belgium-based i-SCOOP explains, under the GDPR, data processors and controllers (two terms it says are constantly used in the text of the GDPR and all that gets written around it) have common duties and share liability. But some things have changed. Read the detailed overview for more.