What Is a Data Processing Agreement (DPA) Under UK GDPR?

byAlex Solo9 March 20269 min read

Contracts Software & IT Regulatory Compliance Data & Privacy

Contents

What Is The DPA Under UK GDPR?
- Why Does A DPA Matter For Small Businesses?
When Do You Need A Data Processing Agreement?
- Common Examples (Where Small Businesses Often Need A DPA)
- When You Might Not Need A DPA
What Must A DPA Include Under UK GDPR?
- Core Clauses To Include In A DPA
- How DPAs Link With Your Other GDPR Documents
How Do You Put A DPA In Place With Suppliers (Without Slowing Your Business Down)?
- Step-By-Step: A Practical DPA Process
- What If The Supplier Refuses To Sign Your DPA?
Common DPA Mistakes That Can Cause GDPR Headaches
Key Takeaways

If you run a small business, chances are you rely on other companies to help you operate day-to-day - cloud storage, email marketing, payroll, customer support platforms, booking systems, analytics tools, and more.

As soon as any of those suppliers handles personal data on your behalf, you’ll likely hear the question: what is a DPA, and do you need one?

A Data Processing Agreement (DPA) is one of those GDPR essentials that sounds more complicated than it needs to be. But getting it right is a big part of protecting your business from avoidable compliance risks.

Below, we’ll break down what a DPA is, when you need one, what it should contain, and the common mistakes that trip businesses up.

In plain English, a Data Processing Agreement (DPA) is a written contract that sets out how personal data will be handled when one organisation processes personal data for another.

To understand what a DPA is in practice, you need to understand the two key roles under UK GDPR:

Controller - the organisation that decides why and how personal data is processed.
Processor - the organisation that processes personal data on the controller’s instructions (typically a supplier/service provider).

A DPA is the contract that sits between the controller and the processor. UK GDPR requires the controller and processor to have a compliant written contract in place when a processor is used (whether that’s a standalone DPA or data processing terms built into a wider services agreement).

For many small businesses, the typical scenario is:

You are the controller for your customer data and employee data.
Your suppliers (IT providers, hosting providers, payroll companies, CRM tools, etc.) are processors - because they’re handling that data on your behalf.

And that’s when a DPA becomes important: it formally documents what the processor can and can’t do with your data, what security standards apply, and what happens if something goes wrong.

Why Does A DPA Matter For Small Businesses?

It’s easy to assume DPAs are “big company paperwork”, but they’re actually most useful when you’re small - because you’re more exposed if something goes wrong and you don’t have your legal foundations in place.

A well-drafted DPA helps you:

show you’ve taken compliance seriously (which matters if you ever face a complaint or regulator scrutiny)
reduce the risk of data misuse by suppliers
set clear rules around security, subcontractors and breach notifications
protect your reputation and customer trust

In other words: it’s not just a “GDPR admin task” - it’s part of your risk management.

When Do You Need A Data Processing Agreement?

You generally need appropriate data processing terms in place when:

you’re a controller, and
you appoint a processor to process personal data on your behalf.

This can apply even if you only share a small amount of personal data, and even if the processing feels routine.

Common Examples (Where Small Businesses Often Need A DPA)

Here are some very common “DPA moments” for SMEs:

Cloud hosting / storage - storing customer files or staff records online. If you’ve ever wondered about tools like cloud drives, it’s worth thinking about whether your setup is compliant (and what contracts sit behind it), especially if data is stored overseas.
Email marketing - uploading your customer email list into a marketing platform.
Payroll providers - sharing employee personal data for payroll and pensions.
Customer support tools - helpdesk tickets that include names, email addresses, order details, complaints, etc.
Booking systems - appointment information often includes health info, accessibility notes, or other sensitive details depending on your industry.
IT support - outsourced IT access to devices, email systems, or internal folders.

Even internal policies can be part of the bigger compliance picture - for example, if your team uses work devices to access customer data, an Acceptable Use Policy can help set clear boundaries and reduce risk.

When You Might Not Need A DPA

You might not need a DPA where:

the other organisation is a separate controller (they decide how and why they use the data), or
you’re sharing data on a controller-to-controller basis with each party responsible for their own compliance.

This is where businesses often get stuck: a supplier might say they’re a controller (or “independent controller”), but in practice they act like a processor - or the relationship might be mixed.

If you’re not sure, it’s worth getting advice early. Mis-labelling roles can cause issues later, especially if you have a breach or a customer complaint.

UK GDPR requires specific terms to be included in a controller–processor contract (your DPA). While the legal wording matters, the concept is straightforward: the processor must only process data under your instructions and must keep it secure.

Practically, a DPA should cover the “who, what, why, how, and what if” of processing.

Core Clauses To Include In A DPA

A DPA will usually cover:

Subject matter and duration of processing (what services are being provided, and for how long).
Nature and purpose of processing (e.g. storing customer data to provide a SaaS platform).
Types of personal data (names, contact details, payment info, employee records, etc.).
Categories of data subjects (customers, staff, suppliers, website users).
Your instructions as the controller (and that the processor must only act on them).
Confidentiality commitments for anyone the processor authorises to access the data.
Security measures (technical and organisational measures to protect data).
Sub-processors (if the processor can outsource parts of the service, and what approvals/controls apply).
Data breach notification obligations (how quickly they must tell you, and what information they must provide).
Assistance with GDPR obligations (supporting you with data subject requests, DPIAs, and regulator enquiries where relevant).
Deletion or return of data at the end of the services.
Audit rights / compliance information (how you can check they’re doing what they promised).
International data transfers (if data is accessed/stored outside the UK, what safeguards apply).

A DPA is one piece of the puzzle. You’ll usually also need to make sure your customer-facing documents and internal compliance measures line up, such as:

your Privacy Policy (so customers and website users understand how their personal data is handled and who it’s shared with)
your internal rules on handling personal data
your incident response and breach management approach

And if you’re doing a broader compliance tidy-up, a structured approach like a GDPR package can help make sure the documents all work together, rather than living in separate silos.

How Do You Put A DPA In Place With Suppliers (Without Slowing Your Business Down)?

Most small businesses don’t want a long legal project just to onboard a tool or sign a supplier contract. The good news is: DPAs can be implemented efficiently, as long as you know what you’re looking for.

Step-By-Step: A Practical DPA Process

List your processors
Make a quick list of suppliers who touch personal data: payroll, IT support, cloud services, marketing tools, booking platforms, customer support systems.
Check what contract they’re offering
Many suppliers include a DPA as part of their terms (sometimes as an online annex). That can be fine - but you still need to review it.
Confirm roles: controller vs processor
If they’re processing data purely to provide services to you, they’re likely a processor. If they’re using the data for their own purposes, they may be a controller (or joint controller).
Check the “must-have” clauses
Look for instructions-only processing, security commitments, sub-processor controls, breach notification timing, and end-of-contract deletion/return.
Watch for international transfers
If data is stored or accessed outside the UK, you need to ensure lawful transfer mechanisms are in place (this is a common hidden issue with tech suppliers).
Keep a record
Save the executed DPA and note the date/version. If the supplier updates terms, you’ll want a clear paper trail.

If you’d rather not guess whether a supplier’s document is “good enough”, getting a tailored Data Processing Agreement (or having key supplier DPAs reviewed) can save you a lot of stress later.

What If The Supplier Refuses To Sign Your DPA?

This happens sometimes, especially with larger providers who say: “These are our standard terms - take it or leave it.”

If that’s the case, you still have options:

Risk assess the supplier (what data are they processing, how sensitive is it, what’s the impact if something goes wrong?).
Reduce what you share (data minimisation is a core GDPR principle and it’s good business practice too).
Look for alternative suppliers if the risk doesn’t match your comfort level.
Negotiate key clauses (sometimes they won’t change everything, but they may adjust breach notification timing or sub-processor controls).

The key is to avoid signing something you don’t understand or can’t comply with. A DPA should work in the real world - not just look good on paper.

DPAs are often treated as a tick-box, but small drafting or process errors can create real problems if you ever face a complaint, a dispute with a supplier, or a data breach.

1. Assuming “The Supplier’s Terms Cover It”

Sometimes they do. Sometimes they don’t.

A supplier might have privacy wording, but it may not meet UK GDPR controller–processor requirements. Or it might be missing key obligations, like:

clear limits on sub-processors
specific breach notification obligations
what happens to data at contract end

2. Not Thinking About Sub-Processors

Your processor might use their own suppliers (sub-processors). For example, a software provider might host data with a third party data centre, or outsource support overseas.

Your DPA should clearly address:

whether sub-processors are permitted
whether you get prior notice and/or approval rights
what contractual standards the sub-processor must meet

3. Weak Breach Notification Timeframes

If a processor suffers a breach, you’ll need to assess and respond quickly. Your DPA should require the processor to notify you promptly with enough detail for you to act.

This matters because, depending on the breach, you may have obligations around notifying the regulator and/or affected individuals.

4. Forgetting About Internal Access And Human Error

Not all data issues come from hackers. Plenty of breaches happen because someone internally:

shares the wrong spreadsheet
emails personal data to the wrong person
stores data in unapproved tools

That’s why DPAs should be supported by internal controls and training - and why it’s worth having clear business policies alongside your contracts (particularly if your team handles customer data daily).

5. Not Updating DPAs As Your Business Grows

What works when you have 50 customers might not work when you have 5,000.

As you grow, you may start processing more data, collecting more categories of data, or using additional suppliers. Your DPAs should evolve with you, especially if you expand internationally or add new product lines.

Key Takeaways

A Data Processing Agreement (DPA) is the contract that sets out how a processor handles personal data on your behalf under UK GDPR.
If you use suppliers to store, access, or manage customer or employee personal data (like cloud services, payroll, or marketing tools), you’ll likely need appropriate data processing terms in place.
A compliant DPA should clearly cover instructions-only processing, confidentiality, security, breach notification, sub-processors, international transfers, and data deletion/return.
Don’t assume a supplier’s “standard terms” automatically meet UK GDPR requirements - it’s worth reviewing the detail, especially for higher-risk processing.
DPAs work best when they match your real business operations and are supported by your privacy documents and internal policies.
If you’re unsure whether a supplier is a controller or processor, or whether the DPA terms are adequate, getting tailored legal advice early can save you major headaches later.

If you’d like help putting the right Data Processing Agreement in place (or reviewing what your suppliers are asking you to sign), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call