Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals. Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor.
The ICO has the power to take action against controllers and processors under the GDPR. Individuals can bring claims for compensation and damages against both controllers and processors. You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
Whether you are a controller or processor depends on a number of issues. The key question is who determines the purposes for which the data are processed and the means of processing? Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.
For more information or to discuss whether you are a controller or processor just get in contact or take a look at the ICO’s guide to understanding your role.
Good luck all!