Negotiating a data processing agreement (or controller-to-processor agreements) under the UK GDPR requires more than just ticking regulatory boxes; it’s a strategic exercise in managing risk, securing your commercial interests, and ensuring compliance.
Whether you’re a data controller or processor, agreeing on terms that meet the mandatory requirements of Article 28 while protecting your position can be complex. With liability, sub-processor authorisations, data breach reporting, and security standards often hotly debated, getting the balance right is crucial. If you need clarity on the basics, start with What is a data processing agreement? for a detailed overview.
If you’re unsure how far to push in negotiations or what protections to insist upon, our data protection solicitors can help. We can support you by drafting, reviewing or negotiating robust controller-to-processor agreements that align with your business priorities and risk profile.
Contents:
Key considerations for negotiating data processing agreements
When reviewing a data processing agreement, you must ensure that all the mandatory Article 28 UK GDPR clauses are included and are not diluted in any respect. Otherwise, you risk your agreement not being UK GDPR compliant.
Despite certain terms being mandatory, there is still plenty of room for negotiation in controller-to-processor agreements. Controllers are often likely to push for further protection and impose more extensive obligations on processors. The Article 28 UK GDPR terms are minimal and still afford scope for businesses to negotiate provisions to protect their best interests. Many controller-to-processor contracts go far beyond the requirements of Article 28.
There are certain preliminary practical points which you should carefully consider before negotiating the terms of a controller-to-processor agreement. These points will influence your approach to negotiations and how far you should push to protect your interests.
Data controller considerations
Some of the key points to consider as a data controller include the following:
- Consider which types of data the supplier will process as part of their services. Is there a large volume of data, and is that data sensitive, or does it contain any special category data? Will the data remain in the United Kingdom, or will it be sent to or accessed in overseas countries? Will any group company's data be shared?
- The level of risk and the length of data processing should determine your approach to negotiations. For example, a long-term project involving high volumes of sensitive information will require more time and negotiation efforts than a small, single project involving minimal data.
- Consider whether you will contract on the supplier’s data processing terms or present your own terms. This often comes down to the amount of negotiating power you have. For example, large service providers such as Amazon have their own data processing terms and will almost certainly reject any customer terms.
- If your project is very low risk, you may decide that a simple and short set of data processing terms in your services agreement suffices. However, larger and higher-risk projects may warrant a separate DPA with a comprehensive set of robust data processing terms that cover more provisions than those mandated under Article 28 of the UK GDPR.
- Through due diligence on the supplier, you may find that they have robust data security measures in place and a proven track record of protecting personal data. As such, you may wish to tailor your approach to negotiations accordingly. If a supplier has an excellent reputation for safeguarding customer data and strong security credentials, you may be more willing to trust them with your personal data and not feel the need to negotiate onerous terms with them.
- You should also consider a commercial strategy, rather than simply focusing on legal issues. As a customer, you may want to work with the supplier and need their services. For example, the supplier may offer you competitive fees or a bespoke service tailored to your business needs. As such, you may wish to consider adopting a reasonable negotiation approach to finalise the deal commercially, rather than starting on the wrong foot with acrimonious negotiations.
- You should also consider your budget. For example, it is unlikely to be cost-effective to attempt to heavily negotiate standard processing terms with a large supplier of services, who may reject any amendments you propose.
These initial considerations will impact how you approach negotiating controller-to-processor agreements. This will not be a one-size-fits-all approach and may vary depending on the type of supplier and the type of data involved under the relevant contract.
Data processor considerations
As a supplier of services processing personal data for customers, you should also adopt a strategic approach to negotiating controller-to-processor agreements.
- You may want to push for a customer to sign your own data processing terms or DPA; however, you should also be open to addressing a customer’s concerns.
- Think about what possible additional assurances you could offer to give your customer comfort, whilst not agreeing to terms you know you will struggle to comply with in practice.
- Again, the risk associated with the data in question, as well as the project's length and value, will likely impact your overall strategy and approach to negotiations.
- It is vital to carefully review the terms proposed by a customer and ensure that you can deliver what the customer requests before agreeing to do so. For instance, strict time limits may be imposed to assist customers with their UK GDPR obligations or the costs associated with fulfilling these obligations.
Commonly negotiated provisions in a data processing agreements
There are various provisions which parties tend to negotiate in controller-to-processor agreements.
Keep in mind that although a party has set out various terms in its agreement, that doesn’t necessarily mean they are mandatory by law. Always go back to check the provisions of Article 28 of the UK GDPR to determine whether a provision in a controller-to-processor agreement is compulsory or not.
Controllers may raise specific requests around the parameters of data processing. For instance, what types of personal data they are willing to share, how long a processor can use the data and why and restrictions on data sharing. There may also be detailed discussions regarding the data retention and deletion process, including measures to ensure that data has been properly deleted.
Some of the most heavily negotiated provisions are explored below.
- Liability and indemnities
The UK GDPR does not prescribe what liability terms should be in place between controllers and processors. As such, this is one of the most heavily negotiated parts of data processing agreements. The parties often negotiate to decide how liability should be apportioned between them.
Controllers are accountable and responsible for ensuring that processing is carried out in compliance with the UK GDPR rules. Controllers will be more likely to be exposed to claims and can be held liable for various consequences if data is misused. However, the UK GDPR also places obligations on processors, who can also be held liable in certain circumstances. Processors will also be concerned about the controller's compliance with UK GDPR; for example, they will want assurance that the controller has the appropriate consents or notices in place to allow personal data to be transferred to them.
Controllers will be particularly concerned about ensuring they can recover any losses they suffer from a processor. As such, a contractual indemnity (an obligation to compensate the controller for its losses on a pound-for-pound basis) is often a request in negotiations. A controller will also want to ensure that it can make certain claims against the processor, for example, claims allowing the controller to have recourse against the processor for loss of data resulting from a data breach.
Pre GDPR, suppliers would accept unlimited liability. However, following the GDPR, there is a trend among suppliers to limit and cap their liability for data protection breaches. A supplier is highly unlikely to accept unlimited liability for data protection breaches. It is far more common for parties to negotiate a higher cap on liability for data protection law losses.
When considering liability, you should consider what the risk to personal data is for the project and what could potentially go wrong. As a controller, it is also important to check if the supplier has cyber insurance in place to back up the liability provisions you negotiate.
Negotiations on liability often come down to a matter of bargaining power. Large suppliers, such as Microsoft, are extremely unlikely to negotiate these terms. However, a small supplier looking to secure business may be more willing to negotiate liability clauses that a controller customer is comfortable with. Otherwise, there is a risk that the controller could go to a different supplier.
Ultimately, the parties need to come to a reasonable compromise position over the allocation of liability. This will vary from contract to contract. - Security measures
The UK GDPR is not prescriptive about what exact security measures data processors should have in place. However, controller customers will often want a supplier to demonstrate appropriate security measures and agree to maintain those measures throughout the contract term.
They will also often want full oversight of such security measures and require their IT or data security teams to review them.
Often, controllers will try to impose specific security standards on their processors, and sometimes quite extensive ones. As such, controllers are likely to ask processors to include various data security measures in their agreements. Processors may push back on the basis that the controller’s requests do not reflect the actual security measures they have in place.
The security measures to be in the agreement are often heavily negotiated. This will often come down to how far a processor can assure a controller that they have appropriate security to keep their data secure. As a processor, you should be prepared to answer a customer’s questions about your security measures and commitments as a business – this will form a key part of the customer’s supplier due diligence. - Sub-processors
Processors need prior authorisation from controllers before they can appoint further third-party sub-processors. Often, processors will insist upon having general authorisation to appoint sub-processors from time to time. However, controllers will want control over which sub-processors are appointed and a clear and reasonable timeframe to reject the appointment of any sub-processors. Controllers will also often want remedies if they disagree with the appointment of a new sub-processor, such as the right to terminate the agreement. It is important to carefully discuss and negotiate the logistics of how this will work in practice under your agreement.
- Costs
Whilst a processor is obliged to assist a controller with complying with certain UK GDPR obligations under their contract, it is common for the parties to debate who will pay the costs. A processor could incur huge costs if every controller asked it to pay for their assistance.
- Audit rights and compliance monitoring
The extent of the controller’s audit rights over the data processor is often also negotiated – for example, which audit rights they have, how often audits can be carried out, whether sub-processors can be audited and who pays the costs.
Controllers may also want regular compliance monitoring rights, including access to reports and ongoing evidence of compliance. - International transfers
Provisions around international data transfers of the controller’s data to countries outside the United Kingdom are also a common negotiation point, particularly where controller customers are concerned about their personal data being sent to certain countries. For instance, the controller may want to specify that their data remains stored and processed within the United Kingdom only. - Data breaches
The specific timeframes for notification of personal data breaches can be a negotiation point. Controllers are likely to push for tight time limits to notify them of breaches, such as immediately. However, processors may be unable to comply with such timeframes in practice, depending on their internal processes and procedures.
As highlighted above, controller-to-processor agreements are not straightforward, and the parties will often explore several key areas as part of their negotiations.
Practical strategies to negotiate data processing agreements
There are various practical considerations to explore when negotiating controller-to-processor agreements.
As part of your strategy, you should consider the following:
- Understand the types of personal data to be processed under the contract and its value. Consider the risks of what could go wrong if that data is compromised or misused.
- Know your baseline position, what you need from the counterparty and what you are willing to compromise on. To successfully negotiate controller-to-processor agreements, you should think about how the relationship between the parties will work in practice and be willing to be flexible. If you are a controller, for example, consider whether you really need an indemnity from the supplier to get your deal over the line.
- Remember that you need to balance data protection compliance and security with the ability to do business with processors. Overly onerous and stringent requirements on data processors may become too complicated and cause concerns.
Whilst you can bring several legal arguments to the negotiation table, either as a controller or a processor, think practically and commercially.
As a controller, you should not aim to create a contract that is so overly onerous that the supplier will not be able to comply with it and will refuse to do business with you.
- As a supplier, you should consider making sensible allowances to keep your controller customer happy, for example, by offering them comfort on critical issues such as liability, which is likely to be their biggest concern. In practice, adopting a take it or leave it approach may not help you win customer trust.
Overall, both parties should work together to achieve a reasonable compromise and listen to each other’s concerns. Whilst controllers often demand very high standards of processors, a balance needs to be struck so that each party is comfortable with the agreement. Ultimately, the parties will need to resolve to be able to do business with each other.
Furthermore, protracted negotiations can lead to delays and incur substantial costs. In the worst case, a negotiation approach which is too strict or onerous can even ‘kill the deal’ and lead to loss of business. As such, taking a risk-based and pragmatic approach may help businesses successfully negotiate controller-to-processor agreements more easily and faster.
Summary
Reaching a fair and workable data processing agreement can be the difference between moving a deal forward or losing it entirely. Whether you’re being asked to sign supplier terms or looking to enforce your own, the goal is always to achieve legal compliance with the UK GDPR without stalling commercial progress. Our data protection solicitors work closely with businesses to navigate the fine detail of these agreements, helping you avoid common pitfalls, manage liability, and negotiate terms that reflect your commercial and legal position. Speak to us for clear, strategic advice tailored to your project and risk appetite.
