DPA Check: Audit Data Processing Agreements And Privacy Compliance

If you handle customer, client or employee data (and most small businesses do), a regular “DPA check” should be on your compliance to-do list.

In practice, a DPA check means two things: reviewing your Data Processing Agreements with suppliers, and checking your broader compliance with UK GDPR and the Data Protection Act 2018. Done well, it reduces legal risk, keeps the ICO happy and builds trust with your customers.

In this guide, we’ll walk you through a simple, business-friendly way to run a DPA check from end to end - what to review, common gaps we see, and how to fix them quickly.

What Do We Mean By A “DPA Check”?

“DPA” gets used in two ways in the UK:

• Data Processing Agreement (DPA) - the contract between your business (as a controller) and any third-party processor handling personal data on your behalf (for example, a cloud CRM, email marketing provider, payroll bureau, IT support).
• Data Protection Act 2018 (DPA 2018) - the UK law that sits alongside the UK GDPR and sets out key rules and enforcement powers.

A DPA check should cover both. You’re verifying that each processor contract contains the mandatory UK GDPR clauses and that your day-to-day privacy practices comply with the law (transparency, lawful bases, rights responses, security and so on).

Think of it as a health check on your data governance: contracts + operations.

Why A DPA Check Matters For Small Businesses

Small businesses sometimes assume privacy risk is a “big company” issue. In reality, regulators investigate micro and small firms too, and claims often start with a single complaint, lost laptop, or mis-sent email.

A good DPA check helps you:

• Reduce enforcement risk - ICO fines aside, enforcement often means mandatory remediation, audits and time away from running your business.
• Prevent customer complaints - clear privacy information and reliable rights handling reduce disputes and reputational damage.
• Control vendor risk - DPA clauses push minimum security and breach support obligations down your supply chain.
• Win bigger deals - enterprise customers expect robust privacy controls and signed DPAs before onboarding you.

The best part? Most gaps are fixable with targeted actions - updating a Privacy Policy, tightening a processor contract, improving retention rules, or documenting your processes.

How To Run A DPA Check: Step-By-Step

1) Map Your Personal Data And Vendors

Start with a simple inventory. List what personal data you collect (customers, prospects, website users, employees), where it’s stored, and which third parties process it on your behalf. Include tools like CRMs, helpdesk software, marketing platforms, cloud storage, accountants, payroll and IT support.

This is your single source of truth. It’s also the basis for your Records of Processing (a UK GDPR requirement for many businesses, and a best practice for the rest).

2) Check Your Legal Bases And Transparency

For each processing activity, confirm your lawful basis (e.g. contract, legitimate interests, consent) and that this is explained clearly in your Privacy Policy and just-in-time notices (for example, sign-up forms or cookies).

• Make sure you can evidence consent where you rely on it.
• If you make business calls, ensure you’re handling personal data in line with your GDPR and business calls obligations.
• For email marketing, comply with PECR rules (consent or soft opt-in) - see the practical overview of email marketing laws and the nuances of the soft opt-in.

3) Review Your Data Processing Agreements (DPAs)

For each processor, make sure you have a signed DPA. Under UK GDPR, a controller must only use processors who provide sufficient guarantees. Your contract must include specific clauses, typically covered in a tailored Data Processing Agreement:

• Processing on documented instructions only (no unexpected use).
• Confidentiality obligations for staff and sub-processors.
• Appropriate technical and organisational security measures.
• Limits on sub-processing and clear approval mechanism.
• Assistance with data subject rights and breach notifications.
• Deletion or return of personal data at end of services.
• Information necessary to demonstrate compliance, including audits.
• International transfer mechanism (UK addendum to SCCs, IDTA, etc.).

Red flags to fix quickly:

• No DPA at all (or a very generic paragraph in a main services contract).
• Processors reserving broad rights to use your data for their own purposes.
• No meaningful security undertakings or breach notification timelines.
• Unlimited right to appoint sub-processors without notice or control.
• Vague or non-existent deletion/return commitments at contract end.

Where you share data with another controller (not a processor), document the split of responsibilities in a Data Sharing Agreement. This is common with joint campaigns, referral arrangements, and multi-party service delivery.

4) Confirm Security Measures And Cloud Setups

Security doesn’t need to be fancy - it needs to be appropriate. Check basics: access controls, MFA, encryption at rest/in transit, device policies (especially for mobiles and laptops), patching, and vendor security commitments. If your team uses cloud platforms, it’s wise to assess whether a tool like Google Drive is configured appropriately for UK GDPR; see our practical guide on Google Drive and GDPR.

If you’re exploring AI tools internally, implement clear usage rules to avoid accidental data disclosure - our overview of ChatGPT and privacy steps covers the key guardrails for UK businesses.

5) Tighten Your Website Cookies And Privacy Notices

Cookie compliance remains a hot spot for enforcement. Make sure your banner offers a genuine choice between “accept” and an equally prominent way to decline or configure. Practical checklists for cookie banners that comply and the requirement for a clear “reject all” option are here: reject all cookies buttons.

Ensure your Privacy Policy is up-to-date, plain English and matched to reality - if the policy says you do X, your processes should actually do X. A tailored Privacy Policy is an easy win in any DPA check.

6) Prepare For Data Subject Requests (DSARs)

You need a reliable, repeatable process to recognise, log and respond to access, deletion and other rights requests within statutory deadlines. Practical aids include:

• A simple playbook and subject access request template for your team.
• Clear tracking of DSAR deadlines and how to calculate time limits.
• Policies for data deletion and exemptions you may rely on in limited circumstances.

If a DSAR lands when you’re unprepared, it can derail a week’s work. A little planning goes a long way.

7) Set Data Retention Rules You Can Actually Follow

UK GDPR expects you to keep personal data no longer than necessary. Convert that principle into a practical schedule by category (e.g. sales leads, paying customers, HR records). Our plain-English explainer on how long to keep personal data can help you set realistic periods and build deletion reviews into your routine.

8) Plan For Incidents And Breaches

Incidents happen - lost devices, phishing, misaddressed emails. What matters is your response. Put in place an incident triage process and a short, practical Data Breach Response Plan covering roles, ICO notification criteria and customer communications. Test it once so your team knows what to do under pressure.

9) Document Everything Sensibly

Documentation is both your compliance trail and your team’s playbook. Aim for concise, usable artifacts:

• Records of Processing Activities (lightweight but complete for your size).
• Privacy Policy and internal procedures for DSARs, retention and incidents.
• Signed Data Processing Agreements and any relevant Data Sharing Agreements.

If your business is growing fast or handles higher-risk data, a bundled data protection pack can be a cost-effective way to cover the essentials.

What Should A Good Data Processing Agreement Include?

Here’s a concise checklist you can use when reviewing vendor contracts. If an item is missing, push for an amendment or add-on schedule tailored to UK GDPR.

• Clear roles - your business is the controller, the vendor is the processor.
• Scope and documented instructions - what data, for what purpose, for how long.
• Confidentiality - binding on the processor’s staff.
• Security measures - specific, proportionate controls (not just vague promises).
• Sub-processing - disclosure of current sub-processors and a change control process.
• Assistance - help with DSARs, DPIAs and compliance inquiries.
• Breach notification - prompt notice and cooperation, with practical timeframes.
• International transfers - lawful mechanisms and UK-specific modules or IDTA.
• Audit and information rights - sensible audit options or independent reports.
• End-of-contract return/deletion - including backups within a defined timeframe.
• Liability and indemnities - balanced risk allocation aligned to the service.

A one-size-fits-all template rarely fits your stack. It’s worth having a lawyer tailor the DPA once, then reuse the structure and language as your “house style” when onboarding other suppliers.

Common Gaps We See In DPA Checks (And Quick Fixes)

Gap: No Or Outdated Privacy Policy

If your policy is missing, outdated or copied from another jurisdiction, update it now. A clear, current Privacy Policy is the first page many customers look for when deciding whether to trust you.

Gap: Email Marketing Without PECR Compliance

Relying on a generic “by signing up you agree…” line won’t cut it. Make sure your contact lists reflect lawful consent or the soft opt-in, and that unsubscribe works reliably. Brush up on the email marketing laws - it’s an easy compliance win.

Gap: Vendor DPAs Missing Key Clauses

Many standard SaaS terms include a privacy addendum, but it may be non-UK, outdated or permissive about vendor re-use of data. Compare against the checklist above and escalate for amendments where needed. If a supplier won’t sign any form of DPA, consider an alternative.

Gap: Weak Cookie Controls

Analytics and advertising scripts should be blocked until the user consents, with a clear way to decline. If your banner is “accept only” or preferences don’t actually change behaviour, see our guidance on cookie banners and the need for a real reject all option.

Gap: DSARs Managed Ad Hoc

Rights requests arriving via support inboxes can get missed. Set up a central log, assign an owner, and prepare a basic pack - including a DSAR template and a deadline calculator for response timescales.

Gap: No Incident Playbook

When something goes wrong, minutes matter. Define who triages, how to assess risk, and how to notify. A short breach response plan turns chaos into a controlled process.

Frequently Asked Questions About DPA Checks

Do We Need A DPA With Every Supplier?

No - only with processors, meaning suppliers who process personal data on your behalf following your instructions (cloud hosting, CRM, email platform, payroll). A supplier acting as its own controller (for example, an independent professional adviser) usually needs a different arrangement, often a Data Sharing Agreement or clear controller-to-controller terms.

How Often Should We Run A DPA Check?

Annually is a good rhythm for most small businesses, with spot checks when you onboard a new tool, launch a new product, or start processing a new category of data. Also review after any incident or material change in your tech stack.

What Happens If We’re Not Fully Compliant?

Don’t panic - most issues can be fixed. Prioritise high-risk areas (missing DPAs, weak security, marketing breaches), then work through the rest. If you’re unsure where to begin, a short data protection consultation can help you triage quickly.

Do We Have To Register With The ICO?

Most UK businesses must pay a data protection fee to the ICO unless an exemption applies. If you’re unsure, it’s worth checking the criteria and any ICO fee exemptions that might apply to your situation.

Simple DPA Check Template You Can Reuse

Here’s a lightweight, repeatable structure you can paste into your internal wiki and tick off quarterly or annually:

1. Data map updated (systems, categories, purposes, retention).
2. Privacy notices reviewed (website, app, forms, contracts) - aligned with practice.
3. Marketing compliance confirmed (PECR, consent/soft opt-in, unsubscribe).
4. Cookies tested end-to-end (prior consent for non-essential; reject works).
5. Security controls verified (MFA, access reviews, encryption, device policy).
6. Vendor DPAs checked against checklist; gaps escalated and tracked.
7. International transfer mechanisms validated (UK IDTA/UK Addendum as needed).
8. DSAR process tested; deadlines tracker working; staff aware.
9. Retention schedule applied; deletions and anonymisation evidenced.
10. Incident response plan reviewed; table-top exercise completed.
11. Documentation stored centrally and accessible to those who need it.

Key Takeaways

• A “DPA check” should cover both your vendor Data Processing Agreements and your broader UK GDPR/Data Protection Act 2018 compliance.
• Start with a data map, then verify lawful bases and update your customer-facing transparency (especially your Privacy Policy).
• Ensure each processor contract includes mandatory clauses - a tailored Data Processing Agreement sets the standard you can reuse with future suppliers.
• Tighten high-visibility areas first: cookie banner choices, PECR-compliant marketing and reliable DSAR handling with clear deadlines.
• Document realistic retention periods and implement a simple incident playbook using a breach response plan.
• If this feels overwhelming, a short, focused data protection pack or consultation can get you compliant and protected from day one.

If you’d like help running a DPA check, reviewing vendor terms or getting the right privacy documents in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.