Alan Ballany Written by |

With the General Data Protection Regulations (GDPR) coming into force soon, we present a series on different roles and associated legal responsibilities that your organisation should be aware of if it captures personal data. In this first instalment we look at the Data Controller.

GDPR comes into force on 25 May 2018, less than a year from now. It will have a huge impact on cultural organisations, so we’ve been doing what we can to help you get a handle on the new rules. Check out our introduction to the changes here.

GDPR isn’t starting from scratch. It will actually build on a lot of principles familiar to many from the Data Protection Act 1998 (DPA), so it’s not a complete reset. There is, however, a lot to consider in your preparations. As part of this we’ve pulled out some key definitions and suggest you have a read through to get a handle on your new responsibilities before delving into the ICO’s more detailed guidance.

Data Controller

The definition of data controller will remain largely the same as under the DPA, but with increased responsibilities. A data controller is usually defined as an organisation, not an individual. Under GDPR, the data controller will be responsible for determining the purpose and means of processing personal data. As a cultural organisation that needs to collect people’s personal data, this means you.

As data controller, your organisation will be responsible, from day one, for setting the tone for how all data is fairly processed by you and on your behalf. Under GDPR, this will include setting up binding agreements with separate data processors (more on these next week) if you have them.

A critical part of GDPR is demonstrating accountability and governance. The controller is responsible for implementing appropriate technical and organisational measures to ensure and to demonstrate that its processing activities are compliant with the requirements of the GDPR. These measures may include implementing an appropriate privacy policy or managing the consent of data subjects to marketing communications.

GDPR allows for potentially huge fines for breaches (up to €20 million or 4% of the company’s global annual turnover of the previous financial year to the breach, whichever is higher) so it’s vital that organisations learn their new responsibilities as data controllers. The GDPR provides additional details on how organisations can demonstrate that their processing activities are lawful.

Looking for more information on common GDPR terminology? Watch this series for key definitions and responsibilities to come on: Anonymisation, Data subjects, Data processor and Opt-ins.

what next

We’ve also been hosting speakers from the ICO (Information Commissioner’s Office) as part of our First Wednesday event series – watch for another event coming in November. The message is clear: GDPR will place greater responsibilities on organisations to look after people’s personal data.


A previous version of this article incorrectly stated the potential fine for breaches of GDPR as 10% of a company’s turnover. The correct figure is 4%.

Main image credit: The Fat Controller by Brenda Anderson (CC BY-NC-SA 2.0)