GDPR Data Processor: Definition, Responsibilities And Obligations

If you’re running a small business, chances are you rely on other businesses to help you operate - cloud storage, email marketing platforms, payroll software, customer support tools, accountants, IT providers, and more.

As soon as those third parties handle personal data for you, the GDPR (and in the UK, the UK GDPR alongside the Data Protection Act 2018) comes into play. That’s where the idea of a data processor becomes very real - and very important.

This guide breaks down what a data processor is under GDPR, what a data processor does in practice, how it differs from a controller (and when a business can be both), and the key obligations you need to meet to reduce avoidable compliance risk.

What Is A Data Processor Under GDPR?

Under the UK GDPR, a data processor is an organisation (or person) that processes personal data on behalf of a data controller.

In plain English: a data processor is a service provider that handles personal data because you’ve engaged them to do so - and for that processing activity, they should act on your instructions.

What Counts As “Processing”?

“Processing” is very broad. It can include:

• collecting personal data
• storing or hosting it
• accessing it to provide support
• sending emails or SMS messages
• analysing it (e.g. reporting and dashboards)
• deleting, amending, or organising it

So, even if a supplier doesn’t “own” the data, they can still be a data processor if they’re doing any of the above for you and not for their own independent purposes.

Common Examples Of Data Processors (In Small Business Life)

Here are some common data processor scenarios we see for SMEs:

• Payroll providers processing staff payroll details for an employer
• Marketing email providers sending newsletters to your subscriber list
• Cloud storage/hosting providers hosting customer databases or CRM records
• IT support providers accessing devices/accounts to troubleshoot issues
• Booking platforms managing appointment data for your service business
• Customer support software storing customer queries and contact details

It can feel like “just admin”, but legally it matters - because the UK GDPR expects you to have the right controls around how those suppliers process personal data.

Data Processor vs Data Controller: Why The Difference Matters

A lot of GDPR compliance confusion comes down to mixing up “controller” and “processor”. The distinction matters because your legal responsibilities (and the documents you need) depend on which role you’re playing for a particular processing activity.

What Is A Data Controller?

A data controller is the organisation that decides:

• why personal data is being processed (the purpose), and
• how it will be processed (the essential means)

For most small businesses, if you collect customer details, manage employees, or build a mailing list, you’re a data controller for that information.

So Where Does A Data Processor Fit?

A data processor processes personal data on the controller’s behalf for a specific service. They don’t decide the “why” for that activity - they help deliver it.

In practice, some suppliers can be a processor for certain activities and a controller for others (for example, where they use data for their own compliance, fraud prevention, product improvement, or marketing). This is why it’s important to map the activity, not just label the supplier once.

Example: If you run an online shop and you use a third-party fulfilment provider to ship orders, you may be the controller of customer order data, and the fulfilment provider may be your processor for fulfilment. But if they reuse that data for their own independent purposes, they may be acting as a controller for that separate use.

Why This Matters For Your Business

Getting the roles right helps you:

• put the correct contracts in place (especially processor clauses)
• assess risk properly (who’s responsible for what if there’s a breach?)
• respond to customer requests (like access/deletion) without delay
• avoid common compliance mistakes, like relying on vague supplier terms

It also matters because regulators tend to look closely at supplier management. If a processor mishandles personal data, the controller can still face serious legal and reputational consequences - even if the processor may also be directly liable for its own GDPR obligations.

What Does A Data Processor Do (And What Can’t They Do)?

When people search “what does a data processor do”, they’re often really asking: what is the processor allowed to do with personal data, and what are they responsible for?

Under the UK GDPR, a processor’s main job is to process personal data only on documented instructions from the controller (unless UK law requires them to do otherwise).

What A Data Processor Typically Does

A data processor might:

• host your customer records in a secure environment
• send marketing emails or SMS messages based on your audience settings
• provide analytics reporting about customer behaviour
• run payroll and generate payslips based on the data you provide
• provide technical support that requires access to systems containing personal data

What A Data Processor Should Not Do

A processor should not:

• use your customer/employee data for their own unrelated purposes (unless, for that separate activity, they are acting as a controller and have a lawful basis and transparency in place)
• share the data with others unless authorised (including appointing sub-processors outside what your agreement allows)
• decide to keep the data indefinitely if you’ve instructed deletion (subject to any legal retention requirements)
• ignore your requirements around confidentiality, security, or breach reporting

This is why the contract between controller and processor is so important - it sets clear rules, reduces “he said/she said” risk, and helps you evidence sensible supplier governance if anything goes wrong.

Key UK GDPR Obligations For Data Processors (And What You Must Do As A Business)

Even though controllers usually carry the heaviest GDPR burden, processors have direct legal obligations too. And if you’re hiring processors (which most businesses do), you need to make sure your supplier relationships support compliance from day one.

1) Only Use Processors That Provide “Sufficient Guarantees”

As a controller, you’re expected to choose processors that can provide sufficient guarantees that they’ll implement appropriate technical and organisational measures to meet UK GDPR requirements.

In practice, this means doing proportionate diligence such as:

• checking what security standards they claim to meet (and whether it’s credible)
• understanding where data is stored and how access is controlled
• reviewing their breach procedures and response timeframes
• confirming how they use subcontractors (sub-processors)

You don’t need a 40-page audit for every supplier - but you do need to be comfortable that the processor isn’t creating obvious risk for your customers and your business.

2) Put The Required Contract In Place (This Is Not Optional)

When you use a data processor, the UK GDPR requires a specific type of written contract with mandatory terms.

That’s often documented as a Data Processing Agreement.

If you rely solely on a supplier’s generic terms (especially if they’re not UK GDPR-specific), you can end up with gaps around sub-processing, breach reporting timelines, deletion/return obligations, and audit/assurance rights.

3) Security: Appropriate Technical And Organisational Measures

Processors must take appropriate security measures. What counts as “appropriate” depends on the context - for example, the type of personal data involved and the potential harm if it’s exposed.

Common security measures include:

• access controls and least-privilege permissions
• multi-factor authentication (MFA)
• encryption (at rest and in transit)
• secure backups and recovery procedures
• staff training and confidentiality obligations
• logging and monitoring for suspicious access

From a business owner’s perspective, the key is to ensure your processor contract and internal processes don’t leave security as a vague promise.

4) Sub-Processors: Control The Supply Chain

Many processors use other providers to deliver their service (for example, infrastructure or hosting). Under the UK GDPR, a processor needs the controller’s authorisation to use sub-processors (either specific authorisation, or general authorisation with a right to be notified of changes), and must flow down equivalent data protection obligations to them.

As a controller, you should understand:

• who the sub-processors are (or at least the categories)
• how you’ll be notified of changes
• what rights you have to object (and what happens if you do)

This is one of those areas where “small print” can matter a lot, especially if data is transferred internationally.

5) Helping With Data Subject Rights And GDPR Requests

Processors must assist the controller in meeting UK GDPR obligations, including responding to individuals exercising their rights (like access, deletion, or rectification), to the extent relevant to the processing and as set out in the contract.

That means your supplier needs a process for handling these requests quickly and securely - and you need a clear internal pathway for actioning them. If you want a structured way to manage incoming requests, an Access Request Form can help you keep things consistent.

6) Breach Reporting And Incident Response

Processors must notify the controller without undue delay after becoming aware of a personal data breach.

For small businesses, this is critical. If your processor sits on a breach for too long, you might miss key reporting deadlines and you’ll be on the back foot with customers.

It’s worth having an internal Data Breach Response Plan so you’re not scrambling to figure out what to do when something happens.

7) Record Keeping And Accountability

Processors have record-keeping obligations in certain cases (for example, where they have 250+ employees, or where the processing they carry out is not occasional, involves special category data or criminal offence data, or is likely to result in a risk to individuals’ rights and freedoms). Even where a formal record isn’t strictly required, good documentation supports accountability - being able to show what you do and why your approach is compliant.

For SMEs, accountability is often less about paperwork for its own sake and more about having clear, practical documentation you can rely on:

• processor agreements in place
• privacy notices that reflect reality
• basic security controls and access management
• clear steps for dealing with requests and breaches

What Legal Documents Do You Need When You Use A Data Processor?

Once you understand the “data processor in GDPR” concept, the next question is usually: what do I need to actually put in place to be compliant?

Here are the documents and steps that commonly matter for small businesses.

A Data Processing Agreement (DPA)

If a supplier is processing personal data on your behalf, a Data Processing Agreement (or UK GDPR-compliant processor clauses within the main services agreement) is the key legal document.

At a high level, a UK GDPR-compliant processor agreement should cover things like:

• the subject matter and duration of processing
• the nature and purpose of processing
• types of personal data and categories of data subjects
• processor obligations to act only on your instructions
• confidentiality commitments
• security standards and measures
• sub-processor rules
• assistance with data subject requests
• breach notification obligations
• data deletion/return at end of services
• audit and compliance support

In practice, the “right” DPA depends on your business model, the data you handle, and how the supplier actually operates - which is why generic templates can leave you exposed.

A Privacy Policy That Matches How You Actually Operate

If you’re collecting personal data from customers (online or offline), you’ll generally need a clear privacy notice explaining what you collect, why, and who you share it with (including processors).

For many businesses, that’s handled via a Privacy Policy that is consistent with your tools and workflows.

This is one of the most common “small business GDPR” issues we see: businesses implement a bunch of new systems (CRM, booking apps, marketing tools), but the privacy policy never gets updated to reflect those changes.

Internal Policies (Especially If Staff Use Business Systems)

If your team uses company devices, accesses customer databases, or handles personal data day-to-day, internal policies can reduce risk significantly.

An Acceptable Use Policy is often a practical starting point, because it sets ground rules for how your team should use systems, manage passwords, store files, and avoid unsafe workarounds.

A Clear GDPR “System” (So You’re Not Piecing It Together Later)

GDPR compliance can get overwhelming fast - especially when you’re juggling suppliers, customer-facing documents, and internal practices.

Many small businesses find it easier to bundle the essentials and build from there, rather than treating each document as a separate project. That’s where a GDPR package can be useful, because it helps align the external promises you make (like your privacy policy) with the internal reality (like how you respond to requests and manage suppliers).

A Practical Checklist For Managing Data Processors

Here’s a straightforward approach you can adopt immediately:

• Step 1: List every supplier that has access to personal data (including “incidental” access like IT support).
• Step 2: Identify what data they touch (customer contact details, payment info, health info, employee data, etc.).
• Step 3: Confirm whether they are acting as a processor, controller, or both (many providers can be both depending on the activity).
• Step 4: Put a UK GDPR-compliant processor agreement/DPA in place.
• Step 5: Check international transfers and sub-processors.
• Step 6: Make sure your privacy policy reflects the sharing/processing.
• Step 7: Set up an internal process for breaches and requests.

This kind of list is not just helpful for compliance - it also makes your business easier to run as you scale, onboard staff, and switch tools.

Key Takeaways

• A data processor under the UK GDPR is a business that processes personal data on behalf of a controller and generally must act only on the controller’s documented instructions.
• Most small businesses are data controllers for customer and employee personal data, and many of your suppliers (software tools, payroll, IT support) may act as your processors for specific services.
• Using processors isn’t a problem - but you need to manage them properly, including choosing providers that can provide sufficient guarantees around security and compliance.
• A UK GDPR-compliant Data Processing Agreement (or equivalent processor clauses) is a legal requirement when a supplier processes personal data on your behalf.
• Your Privacy Policy should accurately reflect how you use and share personal data, including with processors, and should be updated as your systems change.
• Having practical internal processes - like an incident response plan and a consistent approach to access requests - can save you major stress if something goes wrong.

If you’d like help reviewing your supplier arrangements or putting the right UK GDPR documents in place (including DPAs and privacy policies), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.