Understanding Who’s Responsible for What Under UK Data Protection Law
One of the most common questions we receive from clients relates to their data. “Why is Sarah’s mailbox full?” “What’s using all the space on our file server?” “Can you tell us what emails John has been deleting?”
These are perfectly reasonable questions, but the answers often surprise business owners. As your IT provider, we can tell you how much data exists and where it’s stored—but we can’t tell you what that data contains or make decisions about it. That’s not us being unhelpful; it’s data protection law working exactly as it should.
Understanding the difference between a data controller and a data processor is essential for every business owner. It clarifies responsibilities, prevents misunderstandings, and ensures your business remains compliant.
The Two Key Roles in Data Protection
UK data protection law defines two distinct roles when it comes to handling personal data. Most businesses will act as both at different times, but understanding which hat you’re wearing in each situation is crucial.
Data Controller: The Decision Maker
The data controller is the organisation (or person) that decides why personal data is collected and how it will be used. They call the shots on data.
If you run a business and collect customer information, employee records, or supplier details, you are the data controller for that data. You decided to collect it, you determine what it’s used for, and you’re ultimately responsible for protecting it.
Data controller responsibilities include:
- Deciding what personal data to collect and why
- Ensuring there’s a lawful basis for processing
- Informing individuals about how their data is used (privacy notices)
- Responding to subject access requests (SARs)
- Ensuring data is kept secure (including choosing trustworthy processors)
- Reporting data breaches to the ICO when required
- Deciding how long data is retained and when it should be deleted
Data Processor: The Service Provider
A data processor is an organisation that handles personal data on behalf of the controller. They don’t decide what to do with the data—they simply process it according to the controller’s instructions.
As your IT managed service provider, we are a data processor. We maintain the systems where your data lives—your email platform, file servers, backups, and cloud services—but the data itself belongs to you and your business.
Data processor responsibilities include:
- Only processing data according to the controller’s documented instructions
- Keeping data secure through appropriate technical measures
- Not sharing data with third parties without authorisation
- Assisting the controller with compliance obligations when requested
- Notifying the controller of any data breaches
- Deleting or returning data when the contract ends
A Real-World Example: The Overflowing Mailbox
Let’s say you call us because an employee’s Microsoft 365 mailbox is full and they can’t send emails. Here’s what we can and can’t do:
What We Can Do (As Your Processor)
We can run diagnostic reports that show you high-level, non-personal information about the mailbox. For example, we might generate a PowerShell report showing that the Inbox contains 15,000 items averaging 250KB each, the Sent Items folder has 8,000 items, or the Deleted Items folder contains 12,000 items that haven’t been emptied.
This tells you where the storage is being used without us accessing the actual content of any emails. We’re reporting on the container, not reading what’s inside.
Similarly, if your file server is running low on space, we can use tools to analyse storage usage and show you which folders are consuming the most space—”The Finance folder is using 200GB, with the 2019 Archives subfolder accounting for 150GB of that.” Again, we’re reporting on structure and size, not examining the documents themselves.
What We Can’t Do (That’s Your Role as Controller)
We cannot read the emails to tell you what they contain. We cannot decide which emails should be deleted. We cannot tell you whether an employee’s email usage is appropriate. We cannot search through mailboxes looking for specific information. We cannot make judgements about whether data should be retained or removed.
These are all decisions that belong to you as the data controller. The data is yours; we simply provide the infrastructure and can give you the tools and reports to help you make informed decisions.
Why This Distinction Matters
Legal Compliance
The separation of controller and processor roles isn’t just good practice—it’s a legal requirement under the UK GDPR. Both parties have specific obligations, and blurring the lines can create compliance problems for everyone.
Protecting Your Business
Clear boundaries protect your business. If we were to access and make decisions about your data without proper authority, we could inadvertently breach data protection law—and potentially expose your business to liability. By maintaining our role as processor, we help keep you compliant.
Protecting Your Employees
Your employees have a reasonable expectation that their work emails and files won’t be casually browsed by third parties. The controller/processor distinction ensures that any access to personal data is properly authorised and documented.
Accountability
When roles are clearly defined, accountability is clear. If something goes wrong, there’s no confusion about who was responsible for what. This clarity benefits everyone.
What You Might Need From Us
While we can’t access or make decisions about your data, there’s plenty we can do to help you manage it effectively:
Storage and usage reports
High-level reports showing mailbox sizes, folder structures, file server usage, and storage trends—giving you the information you need to make decisions.
Implementing your retention policies
Once you’ve decided on data retention rules, we can help configure systems to enforce them automatically.
Archiving solutions
We can implement email archiving and file archiving solutions that help you manage storage while maintaining compliance.
Access controls and auditing
We can set up and maintain access controls so only authorised people can access specific data, and audit trails so you can see who accessed what.
Technical assistance for investigations
If you have a legitimate need to investigate an employee’s data usage (for example, a disciplinary matter), we can provide technical support while you—as the controller—make the decisions and maintain proper documentation.
The Data Processing Agreement
UK GDPR requires that controllers and processors have a written contract—often called a Data Processing Agreement (DPA)—that sets out the terms of the relationship. This document defines what data we process on your behalf, what we’re authorised to do with it, and the security measures we have in place.
If you don’t have a DPA in place with us, or if you’d like to review your existing agreement, please get in touch. It’s an important document that protects both parties.
Quick Reference: Who Does What?
You (Data Controller) decide what data to collect, why it’s needed, how long to keep it, who can access it, and what to do when someone requests their data.
We (Data Processor) keep your systems running securely, provide reports and tools to help you manage data, implement your policies technically, and alert you to any security incidents.
Together we ensure your data is secure, compliant, and well-managed—with clear accountability at every step.
Questions?
Understanding data protection roles can feel complicated at first, but once the boundaries are clear, everything becomes simpler. If you’re ever unsure about who’s responsible for what, or if you need help implementing data management policies, we’re here to help.
Remember: when it comes to your data, you’re in control. We’re here to make sure the technology supports your decisions—not to make those decisions for you.
Need help understanding your data or implementing retention policies?
Get in touch—we’re happy to run reports and advise on your options.
Give our friendly experts a call on 020 3327 0310.