Who is responsible for data protection?

The Data Controller The Act gives the main responsibility for Data Protection to the ‘Data Controller’. This is the ‘person’ who decides why and how personal data is processed. However, a ‘person’ does not have to be an individual; a company (or any ‘incorporated’ organisation) is also a legal person. Although an individual can be a Data Controller in their own right, it is much more likely that the organisation you work for will be the Data Controller.