Processor, controller or protection officer: what’s the difference?

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up


Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday


If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer


Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

When the GDPR comes into effect on 25 May, anyone dealing with personal data within an organisation will have to adhere to certain rules to ensure the information is adequately safeguarded. We recently shared some expert guidance with the Manchester Business Post on the different levels of responsibility that exist when it comes to data processing – if you missed the online article or magazine, you can read our advice in full below…

As most businesses will (hopefully!) be aware by now, the GDPR will undoubtedly require certain changes to be made to the way they capture, store and use personal data. It’s likely that within your organisation, there is more than one person who handles such sensitive information – whether through direct contact with clients and customers, fulfilling professional responsibilities, or sending out targeted marketing campaigns, for example.

Just as data processing varies hugely from sector to sector and business to business, the degree of responsibility each individual within an organisation has for managing such procedures is very different too. So, depending on their role within the company and the functions they regularly carry out, as long as their duties involve the use of personal data, they will qualify as either a Data Processor, Data Controller or – if specifically assigned – a Data Protection Officer (DPO).

Understanding the purpose of these key roles is essential, as the classifications will ultimately determine whose job it is to ensure legal requirements are met, along with who will be held accountable should a GDPR breach occur. But instead of being seen as a curse, these labels will actually provide some much-needed clarity surrounding who is responsible for each specific process, not to mention the overall compliance journey.

So, what does each role entail?

·         Data Processor – This is anyone who carries out personal data processing under the instruction of a Data Controller. As the foundation level of responsibility when it comes to handling sensitive information, the rules that underpin the role also apply to the Controller and Protection Officer.

·         Data Controller – This is the legal person, public authority, agency or other body who determines the purpose and means of personal data processing – either alone or jointly with others. Within an organisation, this person is responsible for overseeing all Processors who use such information.

·         Data Protection Officer (DPO) – This is a role specifically assigned by an organisation, with the appointed individual taking ultimate responsibility for GDPR compliance and the protection of personal data. Any company can assign a DPO either internally or externally, but not all are obliged to do so.

Do we need to assign a DPO?

Only companies that fit the criteria laid out by the supervisory authority (the Information Commissioner’s Office for the UK) will be required to appoint a DPO. Assigning an officer will be mandatory for the following organisations:

·         Public bodies

·         Those whose core activities require a high volume of regular, systematic personal data monitoring

·         Those that undertake large-scale processing of special categories of data.

What does a DPO actually do?

Quite simply, the Data Protection Officer’s key responsibilities are ensuring that the company’s processes comply with the GDPR and the personal data it holds is adequately safeguarded. To break it down further, this involves:

·         Informing and advising the organisation and its employees about the GDPR, security and compliance obligations and providing necessary training

·         Monitoring compliance with the data protection legislation

·         Managing internal data protection activities and conducting audits

·         Overseeing Data Privacy Impacts Assessments (DPIAs)

·         Acting as the first point of contact for supervisory authorities and data subjects (including employees and customers).

So, who should we appoint?

A DPO can’t be just anyone – they can be assigned internally or externally, but only if they fulfil certain requirements. That’s why, before you think about putting yourself or another team member forwards for the position, it’s essential to ensure the crucial criteria is met. The DPO must:

·         Have professional experience and knowledge of data protection law (proportionate to the type of processing carried out by the organisation and level of safeguarding required)

·         Be accessible to data subjects

·         Not have any conflicts of interest relating to the role

·         Adhere to confidentiality rules

·         Have access to the highest level of management within the organisation.

What are my responsibilities as a business owner?

If your organisation is required to appoint a DPO, it’s important to be aware of the obligations you have as their employer or contractor. You will be responsible for ensuring that:

·         They report to the highest level of management within your company

·         They operate independently and cannot be dismissed/disciplined for performing required tasks

·         They receive adequate resources to be able to meet their compliance obligations.


For further information about what the role of the Data Protection Officer entails, additional advice relating to the GDPR, or to enquire about our Virtual DPO service, just get in touch!

Processor, controller or protection officer: what’s the difference?