Who Is Responsible for a Data Processor’s Actions under UK GDPR?

If your business uses software platforms, marketing agencies, payroll providers or cloud tools to handle personal data, you’re likely working with “data processors”. But if that processor makes a mistake, who’s on the hook?

Under the UK GDPR, small businesses acting as “data controllers” remain accountable for how personal data is processed – including when a third-party processor does the work on your behalf. The good news is you can manage this risk with the right contracts, checks and processes in place from day one.

In this guide, we’ll explain in plain English what a data processor is, who is responsible for the actions of the data processor, and the practical steps UK SMEs should take to stay compliant and protected.

What Does “Data Processor” Mean Under UK GDPR?

Let’s start with the basics. A “data controller” decides why and how personal data is processed. A “data processor” processes personal data on behalf of that controller and only on the controller’s documented instructions.

In practice, many small businesses are controllers. You choose the systems you use and instruct suppliers how to handle your customers’, employees’ or website users’ personal data. Examples of processors you might use include:

• Cloud storage and collaboration tools
• Email marketing platforms and CRMs
• Payroll, HR or accounting software
• IT support, managed services or analytics providers
• Fulfilment or call centre vendors

The controller–processor split matters because the legal duties differ. Controllers carry the overarching “accountability” duty. Processors have specific obligations too, but they act on your instructions and don’t decide the purposes or means of processing themselves.

If your supplier jointly decides purpose and means with you (for example, you co-design a data-driven product and agree which data to collect and how to use it), you could be “joint controllers”. That scenario changes liability and documentation, so it’s worth getting tailored advice if roles aren’t clear.

Who Is Responsible For The Actions Of The Data Processor?

Short answer: you, as the controller, are accountable for ensuring personal data is processed lawfully, fairly and securely – even when a processor does the day-to-day handling. This flows from the UK GDPR’s accountability principle and is reflected in the Data Protection Act 2018.

What does “accountable” mean in practice?

• You must choose a processor that provides sufficient guarantees of GDPR compliance (due diligence).
• You must set clear written instructions and ensure a compliant contract is in place.
• You must monitor the processor’s performance and security posture proportionately to risk.
• If things go wrong, you must respond lawfully (e.g. assess and report personal data breaches where required).

Does that mean a processor has no responsibility? Not at all. Processors have direct legal obligations under UK GDPR (for example, security, confidentiality, sub-processor control, breach notification to the controller). Regulators can take action against processors as well as controllers. But if you’re the controller, you can’t “pass the buck” by saying “our supplier handled it”. You remain ultimately responsible for your choice of processor and the instructions you give.

This is why a robust Data Processing Agreement (DPA) with every processor is essential – it documents your instructions, allocates responsibilities and builds in the controls UK GDPR requires.

What Is The Role Of The Processor Under UK GDPR?

Understanding the processor’s duties helps you set up the right controls in your contracts and processes. Under Article 28 UK GDPR and related provisions, a processor must:

• Only process personal data on your documented instructions.
• Keep personal data confidential and ensure authorised staff are under appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures.
• Not appoint sub-processors without your prior authorisation and a written contract that imposes equivalent obligations.
• Assist you with data subject rights (e.g. access, deletion) and compliance obligations (e.g. security, breach notification, DPIAs).
• At your choice, delete or return personal data at the end of the services and delete any copies unless law requires retention.
• Make available all information necessary to demonstrate compliance and allow for audits when appropriate.

As controller, you need to ensure these obligations are captured in your DPA and that your suppliers can actually meet them (for example, do they support timely responses to subject access requests"Can they promptly notify you of a security incident" Do they restrict sub-processors?).

What Documents And Controls Should Small Businesses Put In Place?

You don’t need to reinvent the wheel – but you do need a consistent, documented approach that fits your risk profile. A simple privacy framework for SMEs typically includes:

1) A Controller-Facing Privacy Suite

• A clear, accurate Privacy Policy describing what you collect, why, who you share it with and users’ rights.
• A transparent cookie approach, combining a Cookie Policy and a compliant consent mechanism. If you use cookies or similar tracking, make sure your consent tools align with UK rules – our guide to cookie banners that comply explains the essentials.

2) Processor Contracts And Schedules

• A signed Data Processing Agreement with each processor, setting out instructions, security measures, sub-processor control, assistance and exit obligations.
• A detailed processing annex or Data Processing Schedule describing the subject matter, duration, nature and purposes of processing, types of personal data and categories of data subjects.
• Where you disclose data to another controller (e.g. a partner acting independently), a Data Sharing Agreement clarifying roles and responsibilities.

3) Governance And Response

• Supplier due diligence and onboarding checks covering security certifications, sub-processor lists, locations of data (including any international transfers), and incident processes.
• Internal processes for handling rights requests, including identifying processors involved so you can coordinate responses.
• A tested Data Breach Response Plan so you can assess incidents quickly and notify the ICO and affected individuals where required.

If this feels like a lot, don’t stress. Putting these pieces in place early will make day-to-day compliance much easier – and it will reduce the time you spend firefighting if something goes wrong.

How Do You Choose And Manage A Processor Responsibly?

Your responsibility starts before you sign. Here’s a practical approach that works for most SMEs.

Step 1: Map The Data And Define Your Instructions

Be clear on what personal data the processor will handle and why. Draft short written instructions that reflect your purposes, retention approach and any special restrictions (for example, no profiling, no training AI models on your data, approved transfer locations).

Step 2: Run Proportionate Due Diligence

Ask for information that demonstrates real-world compliance:

• Security certifications (e.g. ISO 27001) or independent assessments.
• Sub-processor lists and change notification process.
• Data location and transfer mechanisms (Standard Contractual Clauses, UK Addendum, etc.).
• Uptime, backup, and encryption practices.
• Support for user rights and deletion.
• Incident response: how and when they notify you.

If you’re adopting AI tools or large cloud suites, double-check how they handle training data – our overview of using AI tools safely under GDPR is a good companion to your checks; see practical tips in our article on ChatGPT and GDPR.

Step 3: Put The Right Contract In Place

Use a DPA that matches UK GDPR’s mandatory elements and your business risk. Avoid one-sided “trust us” clauses. Make sure the processor will: follow your instructions, obtain your approval before adding sub-processors, assist with rights requests, delete/return data on exit, and support audits proportionately.

Step 4: Monitor And Review

Build light-touch oversight into business-as-usual:

• Keep a register of processors and sub-processors.
• Review security summaries and breach history annually or when risks change.
• Update DPAs if your processing evolves (for example, new data types or purposes).

What Happens If Your Processor Breaches UK GDPR?

If a processor suffers a security incident or mishandles data, both you and the processor may face consequences – but responsibilities differ.

Regulatory Action And Liability

• The ICO can take action against processors for breaching their direct obligations (e.g. inadequate security), and against controllers for failing the accountability principle (e.g. poor due diligence, missing contracts).
• Individuals can seek compensation for material or non-material damage. Controllers and processors may be jointly and severally liable depending on who is at fault, with rights to claim back from each other based on responsibility.
• Contractual indemnities in your DPA can help manage financial risk between you and your processor – they don’t remove regulatory risk but they can address who pays for what.

Immediate Actions If A Processor Incident Occurs

Move quickly and methodically:

1. Require the processor to notify you without undue delay and share incident details and logs.
2. Assess risk to individuals. If the breach is likely to result in a risk to rights and freedoms, notify the ICO within 72 hours of becoming aware. If it’s high risk, notify affected individuals as well.
3. Contain and remediate with the processor: revoke access, rotate keys, apply patches, or suspend processing if needed.
4. Document everything. The UK GDPR requires you to keep a breach register and your decision-making trail (even where you decide not to notify).
5. Review and improve: update instructions, tighten access, revisit sub-processor approvals, and test your plan.

If your processor is outside the UK or uses overseas sub-processors, check that appropriate transfer mechanisms are in place and that notifications can legally and practically flow back to you in time. You should also consider whether the incident affects your legal grounds to continue sharing data; in some cases, it may be safer to suspend processing while you reassess.

Common Scenarios: Who Is Responsible For What?

It’s easier to understand responsibility with concrete examples. Here are typical SME scenarios.

Marketing Platform Sends A Campaign To The Wrong Segment

You upload your customer list to a platform and instruct the send. The platform’s UI bug causes the message to reach the wrong audience.

You, as controller, are accountable for your marketing practices and must assess and respond to the incident. The processor is responsible for its security and system integrity. If individuals complain, you may face regulatory scrutiny unless you can show appropriate due diligence and a strong DPA. Your DPA should include indemnities for processor-caused incidents.

IT Support Copies Data To An Unauthorised Personal Device

You instruct your managed IT provider to migrate devices. A technician copies files to a personal USB for convenience.

This is a clear processor breach of confidentiality and your instructions. You must manage the breach response and may need to notify. Contractually, you should enforce your DPA’s security requirements and seek remedies. Longer term, tighten onboarding, training and logging requirements for the provider.

Cloud Tool Trains Its AI On Your Customer Data Without Consent

A cloud vendor updates terms to allow training on customer data. You didn’t authorise this.

The vendor has gone beyond your instructions and may be acting as a controller for that purpose. You remain accountable for choosing the vendor and should challenge the change, disable training, or exit. Build in contractual prohibitions on model training and require opt-out controls upfront.

How To Handle Data Subject Rights When A Processor Is Involved

As controller, you must respond to rights requests (access, rectification, erasure, objection, portability, restriction) within legal timeframes. Processors must assist you. To make this work in practice:

• Define a single intake channel for requests and verify identity consistently.
• Maintain a processing map so you know which processors hold copies.
• Use contractual service levels so processors send you the needed data quickly.
• Train your team to recognise requests and pause any automated deletions that could frustrate them.

If your business handles frequent requests, build and document a playbook aligned with your subject access requests obligations, including when you may refuse or extend.

Do You Need Consent To Share Data With A Processor?

Generally, you don’t need separate consent to use a processor – you’re not changing the purpose, just outsourcing the processing. But you must be transparent in your Privacy Policy, ensure a lawful basis for the underlying processing, and put a compliant DPA in place. If you’re sharing data with another independent controller, the rules are stricter and, in some cases, consent may be required depending on the context; our guide on when you can share personal information without consent explains the factors to weigh.

Frequently Asked Questions

Is The Data Processor Responsible For Fines?

Regulators can fine both controllers and processors. Whether a processor pays depends on the facts and on your contract. A good DPA will include liability and indemnity clauses to allocate financial risk fairly.

What If The Processor Ignores My Instructions?

That’s a breach. Treat it as an incident, consider suspending the service, and enforce your contract. You remain accountable for overall compliance, so document your response and remediation steps.

Do I Need To Name All Processors In My Privacy Policy?

Transparency is key. You should at least describe categories of recipients and, for higher-risk processing, many businesses list key vendors. In all cases, keep your internal register complete.

What If My Processor Uses Sub-Processors?

They can, but only with your prior authorisation and a contract that imposes equivalent obligations. Require change notifications and the right to object to risky additions.

How Do Cookies And Analytics Fit In?

Analytics and advertising vendors often act as processors, but sometimes as controllers for their own purposes. Make sure your cookie consent and disclosures are accurate and that your tools support a “reject all” option where required – our cookie banner guidance is a helpful reference in addition to your Cookie Policy.

Practical Compliance Tips For Busy SMEs

• Keep it simple: standardise your DPA and onboarding questionnaire so you can onboard new vendors quickly but safely.
• Focus on risk: apply deeper due diligence to vendors handling sensitive data or large volumes, or that materially affect your operations.
• Check transfers: if your processor stores data outside the UK, confirm transfer tools and perform a transfer risk assessment.
• Be transparent: update your Privacy Policy when you add key vendors or change purposes.
• Plan for incidents: maintain and test your Data Breach Response Plan, including how a processor will contact you after hours.
• Train your team: make sure staff know how to spot red flags and escalate quickly.

If you routinely share data with other organisations for their independent use, add a Data Sharing Agreement to your toolkit, and double-check your lawful basis and transparency statements.

Key Takeaways

• Under UK GDPR, controllers remain accountable for personal data even when a processor handles it. You can’t outsource responsibility, only execution.
• Processors have their own legal obligations, but your protection hinges on choosing reputable suppliers and having a robust Data Processing Agreement with clear instructions, security and sub-processor controls.
• Put a practical privacy framework in place: an accurate Privacy Policy, a compliant cookie approach, processor contracts with a solid Data Processing Schedule, and a tested Data Breach Response Plan.
• If a processor incident occurs, act fast: assess risk, notify where required, remediate, document decisions and strengthen controls.
• Build light-touch governance: keep a processor register, review security annually, and make sure your vendors can help you meet rights requests and transparency duties, including around when you can share personal information without consent.

If you’d like help putting the right contracts and processes in place – or you want us to review your current vendors and paperwork – you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.