The Data Controller is the person or business determining the means and purpose of how data is processed. GDPR establishes greater accountability obligations on the Data Controllers to demonstrate compliance. This may include some of the following requirements:
Prepare and maintain relevant documentation
Minimise the amount of personal data being processed by implementing data protection by design and by default
Perform a data protection impact assessment
Provide a fair data processing notice to Data Subjects
The Data Processor is the person or business processing data on behalf of the Data Controller. The Data Processor is subject to different obligations under GDPR. These may include:
Maintaining a written record of their processing activities
Notifying the Data Controller, in case of a data breach