Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
If your business uses cloud tools, outsourced IT support, payroll software, marketing platforms, or hosted customer support systems, you’re almost certainly relying on service providers that use subprocessors - even if you’ve never used that word before.
For many UK small businesses, GDPR compliance feels manageable until you start asking: “Where does our data actually go?” That’s usually where subprocessors come in.
In this guide, we’ll break down what subprocessors are, when they matter, and what you should be doing (practically and contractually) to help keep your business compliant with the UK GDPR and the Data Protection Act 2018.
What Are Subprocessors (And Why Do They Matter Under UK GDPR)?
A subprocessor is a third party appointed by a processor to help process personal data on behalf of a controller.
That sentence is a mouthful, so here’s the plain-English version.
A Simple Example
- You run an e-commerce business and collect customer names, addresses and order history (you are usually the controller).
- You use a customer support platform to manage customer queries (depending on how the platform uses the data, that provider may be a processor - but in some setups they can be a separate controller or even a joint controller).
- That platform provider hosts its service on a cloud infrastructure provider (the cloud provider is typically a subprocessor if the platform provider is acting as your processor).
So, while you might have only signed up to one service provider, your customer personal data may be accessed, stored, transmitted, or backed up by several subprocessors behind the scenes.
Why GDPR Cares About Subprocessors
Under the UK GDPR, personal data shouldn’t be passed down an endless supply chain without proper safeguards. The law expects a clear chain of responsibility, including:
- transparency about who is processing personal data and why
- written contracts that contain specific protections
- ongoing oversight (not “set and forget”)
- appropriate security measures across the whole processing chain
In other words: if your processor uses subprocessors, you don’t get to ignore them. Your compliance obligations don’t stop at your direct supplier.
Controller vs Processor vs Subprocessor: A Quick UK Business Breakdown
Getting these roles right matters because the UK GDPR assigns different legal duties depending on whether you are a controller or processor.
Controller
You’re a controller if your business decides why and how personal data is processed. Many SMEs are controllers when they collect customer data, manage staff records, or run marketing databases.
Controllers are responsible for GDPR fundamentals like lawful basis, transparency, and data subject rights - often documented through a Privacy Policy.
Processor
A processor processes personal data on the controller’s behalf, following the controller’s instructions (for example, a payroll provider, an IT managed service provider, or a marketing email platform). However, depending on the service and how it uses the data, some providers may instead act as independent controllers (or joint controllers) for certain processing activities.
Processors have their own direct obligations under the UK GDPR, including security, record-keeping, and restrictions on appointing subprocessors.
Subprocessor
A subprocessor is engaged by the processor (not by you directly) to help deliver the processing service.
Common subprocessor activities include:
- cloud hosting and storage
- email delivery infrastructure
- analytics and diagnostics
- payment processing rails
- customer support tooling used by your supplier
- cybersecurity monitoring and logging
The important bit: subprocessors can process personal data as part of your supplier’s service, so they still need to be governed by the same standard of GDPR protections.
When Do Subprocessors Create Compliance Risk For Small Businesses?
Subprocessors aren’t automatically a “problem”. In fact, many are industry-standard and essential for modern digital services.
The risk shows up when you don’t have visibility and contractual control - which can lead to unexpected exposures (especially if something goes wrong).
Typical Risk Scenarios
- You don’t know who the subprocessors are. That makes it hard to answer customer questions, handle Subject Access Requests, or respond to regulatory queries.
- Data moves internationally without you realising. A subprocessor may store or access data outside the UK, triggering cross-border transfer requirements.
- Your processor adds subprocessors without telling you. This can create “silent” changes to your risk profile.
- Security standards vary across the chain. One weak link can increase breach likelihood.
- You can’t meet your own commitments. If you promise customers certain protections, you need your suppliers (and their subprocessors) to align with that.
“But We’re Small - Does This Really Apply?”
Yes. UK GDPR doesn’t only apply to large corporates.
If you’re processing personal data (customer details, employee data, leads, even IP addresses in some contexts), you need to take proportionate steps to manage risk. For small businesses, “proportionate” usually means having the right paperwork and supplier checks in place - without turning it into a massive project.
If you’re building out your GDPR foundations from scratch, a structured approach like a GDPR package can help ensure you’re covering the key moving parts properly.
What Does UK GDPR Require When Your Processor Uses Subprocessors?
The UK GDPR sets specific rules for subprocessors. The headline principle is:
A processor can’t appoint a subprocessor without the controller’s authorisation, and the subprocessor must be bound by equivalent data protection terms.
1) Authorisation: Specific Or General
Controllers can authorise subprocessors in two common ways:
- Specific authorisation: you approve each subprocessor individually before they’re appointed.
- General authorisation: you give broad permission, but the processor must inform you of changes so you can object.
Many SaaS providers use “general authorisation” via their terms, with a published subprocessor list and a change notification mechanism.
2) A Written Contract That “Flows Down” GDPR Obligations
Your contract with the processor should require that any subprocessor is subject to the same (or equivalent) protections that apply to the processor.
This usually sits inside a Data Processing Agreement (DPA), either as a standalone document or embedded in your supplier terms.
A well-drafted DPA typically covers things like:
- subject matter and duration of processing
- nature and purpose of processing
- types of personal data and categories of data subjects
- security measures
- breach notification obligations
- audit/inspection rights (often limited in practice, but still important)
- international transfer safeguards
- rules around engaging subprocessors
3) Liability Doesn’t Magically Disappear
Even if the subprocessor causes a data breach, your processor remains responsible to you for that subprocessor’s performance under the processing contract.
That’s helpful - but from a business risk perspective, you can still face real-world consequences (customer complaints, downtime, reputational damage, and regulatory scrutiny). So it’s still worth doing reasonable due diligence upfront.
How To Manage Subprocessors In Practice (A Step-By-Step Checklist)
For most small businesses, subprocessor compliance is less about “legal theory” and more about having a repeatable process you can actually maintain.
Step 1: Map Where Personal Data Goes
Start by listing the suppliers who process personal data for you (your processors). Common examples include:
- cloud email and file storage
- website hosting
- CRM platforms
- payroll and HR tools
- booking systems
- analytics tools
- customer support systems
As you do this, note what personal data is involved (customer contact details, employee records, health data, payment info, etc.) and how sensitive it is.
If you use cloud storage heavily, it’s worth pressure-testing whether your setup is compliant, especially around access controls and international transfers - issues that often come up in questions like is Google Drive GDPR compliant.
Step 2: Ask For The Subprocessor List (And Change Process)
Many processors publish a subprocessor list on their website. If they don’t, ask for:
- a list of subprocessors used to deliver the service
- what each subprocessor does (hosting, support, analytics, etc.)
- where data is processed (UK/EEA/US/elsewhere)
- how you’ll be notified of changes
- how you can object to new subprocessors
If your supplier can’t or won’t provide this, that’s a red flag - especially if they’re handling sensitive personal data.
Step 3: Check International Data Transfers
Subprocessors often process data outside the UK. That isn’t automatically unlawful, but you need the right safeguards.
Depending on where the data goes, this may involve:
- UK GDPR international transfer mechanisms (such as the UK International Data Transfer Agreement or Addendum)
- Transfer risk assessments (where relevant)
- contractual and technical controls to manage access risk
This is an area where “DIY” can get tricky fast, so it’s worth getting legal advice if your data flows are complex.
Step 4: Put The Right Contractual Documents In Place
At minimum, you want your processor relationship properly documented - typically through a DPA.
For many SMEs, it’s also helpful to ensure your internal policies match what your contracts require. For example, if staff handle customer personal data, having an Acceptable Use Policy can help demonstrate that your business is managing access and security appropriately.
Step 5: Plan For Data Breaches Across The Supply Chain
Even if your security is strong, a breach can still occur via a processor or subprocessor.
Your DPA should require your processor to notify you without undue delay after becoming aware of a personal data breach. Internally, you’ll want a clear triage process so you can assess whether you need to notify the ICO and/or affected individuals.
Having a documented Data Breach Response Plan makes this significantly easier (and less stressful) when time is tight.
Step 6: Review Periodically (And When You Change Tools)
Subprocessor risk management isn’t a one-off task.
Set a realistic review cadence (for example, annually, or when you onboard a major new supplier), and make sure someone in your team owns it.
If you start using AI tools that process customer or staff information, add them to your review list too - questions about confidentiality and data handling come up a lot in that space, including whether ChatGPT is confidential for business use.
Key Takeaways
- Subprocessors are third parties appointed by your processor to help deliver processing services, and they often sit behind everyday tools like cloud hosting and analytics.
- Under the UK GDPR, processors generally need your authorisation to use subprocessors, and they must impose equivalent data protection obligations on them.
- For small businesses, the practical goal is visibility and control: know who the subprocessors are, where data is processed, and how changes are communicated.
- A properly drafted Data Processing Agreement is one of the most important documents for managing subprocessor risk, especially around breach notifications and international transfers.
- Subprocessor issues often show up during incidents - so having a breach response plan and clear internal processes can save you time, cost, and headaches.
- Regularly review your key suppliers and their subprocessor lists, particularly when you add new tools or your business starts processing more sensitive personal data.
This article is general information only and doesn’t constitute legal advice. For advice about your specific situation, speak to a qualified lawyer.
If you’d like help putting the right GDPR documents in place (including DPAs, policies, and contract reviews), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
