EU GDPR | Art. 24

Controller Responsibilities

Article 24
  1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 (Codes of Conduct) or approved certification mechanisms as referred to in Article 42 (Certification) may be used as an element by which to demonstrate compliance with the obligations of the controller.

So to review the Definitions in Article 4 (7), the Data Controller means:-

4.7  the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

In plain language “the natural or legal person” means individuals operating as a business ie anything other than purely domestic or personal use.  It’s important to remember and as a simple example, a personal blog that by whatever means generates or provides a mechanism to earn revenue from it stops being domestic or personal use, it become a business, (whether declared or not!).