A Data Processing Agreement (DPA) is a legally binding contract between a Data Controller and a Data Processor that governs the processing of personal data. In the United Kingdom, entering into a DPA is a mandatory legal requirement under Article 28(3) of the UK General Data Protection Regulation (UK GDPR), which forms part of domestic law by virtue of the European Union (Withdrawal) Act 2018. The agreement sets out the rights and obligations of both parties in relation to the processing of personal data and is a critical component of any organisation's data protection compliance framework.

Following the UK's departure from the European Union, the UK retained the EU GDPR as the cornerstone of its domestic data protection framework, supplemented by the Data Protection Act 2018 (DPA 2018). The UK GDPR is functionally equivalent to the EU GDPR in most respects but has been adapted for the UK domestic context, including the appointment of the Information Commissioner's Office (ICO) as the principal supervisory authority.

Under the UK GDPR, a Data Controller is the entity that determines the purposes and means of processing personal data — for example, a business that instructs a cloud software provider to store and manage its customer records. The Data Processor is the entity that processes personal data on behalf of the Controller — in this example, the cloud provider. Both the Controller and the Processor have distinct obligations under the UK GDPR, and the DPA is the mechanism through which those obligations are formally established and documented.

Our UK Data Processing Agreement template is drafted in accordance with Article 28 of the UK GDPR and the ICO's guidance on Controller-Processor relationships. It covers all mandatory elements, including the subject matter, nature, and purpose of the processing, the categories of personal data, the duration of processing, the Processor's obligations regarding security measures under Article 32, breach notification within 72 hours to the ICO, assistance with data subject rights, international transfer safeguards, sub-processor management, and audit rights.

A Data Processing Agreement is legally required whenever a Data Controller engages a third party to process personal data on its behalf, and that third party processes the data only on the Controller's instructions. This applies across a vast range of common business relationships in the UK.

You need a DPA whenever you use a cloud computing service (such as a CRM, HR system, payroll platform, or email marketing tool) that processes your customers' or employees' personal data. Similarly, if you outsource IT support, customer service, accounting, or any other function that involves access to personal data, the provider of those services is acting as your Data Processor and a DPA is required.

The obligation also applies if you use a recruitment agency or employment business that processes personal data of job applicants on your behalf, if you engage a market research firm to process customer data for analysis, or if you use a third-party payment processor that handles personal financial information of your customers.

The consequences of failing to have a compliant DPA are significant. The ICO has the power to impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements of the UK GDPR, including the failure to put appropriate contracts in place with processors. Beyond regulatory fines, the absence of a DPA exposes businesses to reputational damage, loss of customer trust, and civil claims from data subjects whose rights have been infringed.

Even where a DPA is not strictly required by law — for example, where both parties are joint controllers rather than a controller-processor relationship — it remains best practice to document the data sharing arrangement in writing to demonstrate accountability under Article 5(2) of the UK GDPR.

A compliant Data Processing Agreement for UK businesses must contain several mandatory elements as prescribed by Article 28(3) of the UK GDPR, supplemented by the ICO's guidance on processor contracts.

The parties section must clearly identify the Data Controller and Data Processor by their full legal names and registered addresses. Where the controller is providing instructions to the processor, the agreement must make clear that the processor acts only on documented instructions from the controller.

The processing details section is the operational core of the agreement. It must specify: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data being processed; and the categories of data subjects affected. This information must be sufficiently detailed to demonstrate that the processing is limited to what is necessary for the specified purpose — reflecting the data minimisation principle under Article 5(1)(c) of the UK GDPR.

The processor obligations section must cover all the mandatory requirements of Article 28(3), including: the confidentiality obligation (ensuring that all authorised persons are bound by appropriate confidentiality undertakings); security measures under Article 32 (specifying the technical and organisational measures implemented by the processor); sub-processor management (requiring prior written consent before engaging sub-processors and imposing equivalent obligations on sub-processors); assistance with data subject rights; assistance with the controller's Article 32–36 obligations; deletion or return of personal data on termination; and audit rights.

The breach notification provisions are of particular importance. Under Article 33, the Controller must notify the ICO within 72 hours of becoming aware of a breach. The DPA should require the Processor to notify the Controller within 24 hours to give the Controller adequate time to comply. The notification should include a description of the breach, the categories and approximate number of affected data subjects and records, contact details of the processor's data protection point of contact, likely consequences, and measures taken or proposed.

The international transfers section addresses restrictions on transferring personal data outside the United Kingdom. Unless the destination country benefits from a UK adequacy decision, appropriate safeguards must be in place, such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses.

Finally, the governing law clause should specify the laws of England and Wales as the governing law and designate the courts of England and Wales as having exclusive jurisdiction, ensuring that any disputes are resolved in a forum familiar with UK data protection law.