Knowledge Hub
for Growth


What is a data processing agreement?

A data processing agreement (DPA), also known as a controller-to-processor agreement, is a crucial legal document for UK businesses that process personal data. Whether you’re a data controller sharing personal information with a third-party processor or a processor handling data on behalf of a client, you are legally required to have a DPA in place. Without it, your business could face significant legal and commercial risks under the UK GDPR.

From cloud providers and IT support teams to outsourced payroll services, any third-party processing personal data on your behalf must do so under clear contractual terms that protect the data and define responsibilities. A well-drafted DPA not only helps you comply with the law but also safeguards your business against data misuse and liability exposure.

Our experienced data protection solicitors can help you review or negotiate effective data processing agreements tailored to your business needs, identify hidden risks, and ensure your commercial relationships are built on firm legal foundations.

What is a data controller?

You’re a data controller when you decide why personal data is collected and how it’s going to be used. This is where your business will determine the purposes of the processing and how it is carried out. For example, if you decide how to use employee data to manage your own employer duties or customer information to process orders, then you’re the controller.

What is a data processor?

A data processor is someone (typically a service provider) who processes personal data for another data controller business, based only on the controller’s instructions. They don’t decide how or why the data is used - as that’s the controller’s call.

Common examples of processors include payroll firms, IT support providers and cloud hosting platforms. So, if these service providers are using personal data you’ve shared with them only to deliver a service you’ve asked for (and not for their purposes), they’re acting as your processor.

Are you a controller or a processor?

To work out whether you’re a controller or processor in any relationship, you’ll need to carefully think about and analyse who decides why the data is processed and how that processing is carried out.

Remember you’re the controller if you decide the purpose of the processing. The other party is the processor if they’re following your instructions.

But unfortunately, things aren’t always so straightforward. If both parties make independent decisions about the same data (e.g. using it for different purposes), then you’re both controllers. This means you may need a joint controller or a data sharing agreement, depending on the arrangement.

If you're unsure about where you stand in your role (especially where the processing has multiple purposes), then make sure you do take legal advice on your position before sharing any data.

Remember that there are also other steps to take before you start sharing data with a processor. Before appointing one, you’ll need to do your research and conduct due diligence to ensure they offer sufficient guarantees of compliance with the UK GDPR, including having appropriate security measures to protect the data you share with them.

When do you need a data processing agreement?

You’ll need to enter into a DPA any time a third-party data processor processes personal data on your behalf. This is a strict legal requirement under the UK GDPR – the obligation applies no matter how small the project is or how short the data processing arrangement lasts. The purpose here is to ensure that personal data is protected when it’s shared with third parties, e.g., across your supply chains.

These are some typical scenarios of where you’ll need a DPA, in the context of business suppliers:

  • You outsource payroll to a third party, meaning they’re processing your employee data
  • You hire an IT provider who accesses your customer database for support

You’ve got to enter the DPA before the processing starts, so you’ll need this in place before sharing any personal data. This can be in the form of a standalone agreement, or you can include the required data processing provisions in a wider commercial agreement. For a deeper understanding of contract requirements and expectations, the ICO guidance on controller–processor contracts is a valuable resource.

What clauses should a data processing agreement include?

Your DPA must meet strict requirements under Article 28 of the UK GDPR. It will need to include key clauses, including that the processor will need to (put simply):

  • Only act on your documented instructions
  • Keep personal data confidential and make sure all staff and those who access it do too
  • Put technical and organisational security measures in place
  • Get your written permission before using sub-processors
  • Ensure sub-processors follow the same rules as them
  • Help you respond to data subject rights (e.g. access or deletion requests)
  • Support you with certain obligations, e.g. data protection impact assessments and breach reporting
  • Return or delete personal data at the end of the contract unless the law requires otherwise
  • Let you audit them and provide the necessary information you need to prove their compliance

Your agreement also needs to set out:

  • What kind of personal data the processor will process 
  • Why and how it’s being processed
  • How long it’ll be processed for
  • Who the data relates to (e.g. whether it’s about your employees, customers, or suppliers)

These details will typically be included in an appendix or schedule to the DPA.

What else should you consider for your data processing agreement?

While the law sets out the basics, you’ll often want to negotiate extra terms to manage risk. Here are some key additional considerations which could impact the drafting of your DPA:

  • Security measures:  You’ll need to ask the processor to explain how they keep personal data secure. You should be able to tackle this investigation as part of your due diligence. You may wish to include the specific security measures you agree to in your contract.
  • Sub-processors: If your processor engages other suppliers who are also processors (such as a cloud hosting platform), you need to decide whether you agree to them and, if so, how to handle the process of their appointment.
  • International data transfers: If personal data is to be transferred outside the UK, the DPA must explain how that transfer is lawful, e.g., by using the IDTA if necessary. You may also need to take additional steps to ensure compliance.
  • Liability and indemnity: It’s common to seek to include commercial clauses covering apportioning risk if something goes wrong. This could consist of indemnities from the processor to compensate your business if they breach data protection laws. This can be a key issue to iron out when you’re negotiating a DPA.  

Practical steps for controllers

There’s a lot for data controllers to do before appointing a third-party processor. Here are some key practical steps to take:

  • Identify every third party who handles personal data for you
  • Confirm whether they’re a processor or controller
  • Do your due diligence and record the results
  • Make sure a DPA is negotiated for your protection and signed before processing starts
  • Keep a record of all DPAs, audits, and risk assessments
  • Review your contracts regularly and update them when needed

But a DPA isn’t the only thing you need to think about when sharing personal data. You also need to:

  • Update your privacy notice to show data subjects which third parties you share data with
  • Complete data protection impact assessments where needed

There’s a lot to tackle here, but you don’t want to risk the negative implications of breaching data protection law rules. So, make sure you take legal advice if you’re unsure of your specific obligations.

What if you’re a processor?

If you’re acting as a processor and a 'controller client' sends over their standard supplier data processing agreement, don’t just sign it blindly - read it carefully and negotiate if needed.

Make sure it reflects the actual services you’re providing and that:

  • The processing activities are described correctly
  • The deadlines for your obligations, e.g. breach notifications or audits, are realistic
  • You’re able to meet all obligations, to avoid breaching the contract

If anything looks unclear, overly strict, or onerous, take legal advice if you’re unsure.

Conclusion

A data processing agreement isn’t just a legal formality – it’s a key safeguard to ensure personal data is handled securely and responsibly by third parties. It protects your business against data breaches, non-compliance penalties and operational risks. Whether you're the data controller or the processor, you need a DPA that accurately reflects your data flows, processing activities and risk exposure.

Our specialist data protection solicitors work closely with businesses like yours to draft, review and negotiate DPAs that meet your legal duties under the UK GDPR and align with your commercial strategy. We’ll help you understand your responsibilities, assess compliance risks, and put in place practical legal solutions that work in the real world.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Belsyre Court, 57 Woodstock Road, Oxford, OX2 6HJ
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £149 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry