Atornee
Get Started Free
Review My Data Processing Agreement

Lawyer reviewed templates

data processing agreement review checklist uk

Data Processing Agreement Review Checklist: What to Check Before You Sign

If you're a UK business sharing personal data with a third-party supplier or processor, you need a data processing agreement (DPA) in place — and more importantly, you need to know what's actually in it. This data processing agreement review checklist for UK businesses walks you through the clauses that matter, the red flags that should give you pause, and the points where you should stop and get a solicitor involved. Under UK GDPR and the Data Protection Act 2018, controllers are legally responsible for ensuring their processors meet specific obligations. A poorly drafted or one-sided DPA can leave you exposed to ICO enforcement, data subject claims, and contractual disputes. Most founders sign these without reading them properly — often because they're buried in a vendor onboarding flow. This guide is for anyone who wants to understand what they're agreeing to before they click accept.

Review My Data Processing Agreement
Instant Access
Lawyer Reviewed

Why this matters

You've been sent a data processing agreement by a SaaS vendor, payroll provider, or marketing agency. It's 12 pages long, written in dense legal language, and you need to sign it to get started. The problem isn't just that it's hard to read — it's that a bad DPA can expose your business to ICO fines, liability for your processor's mistakes, and obligations you didn't know you were taking on. Most UK founders either sign without reviewing or assume their supplier's standard terms are fine. They're often not. Knowing what to look for — and what to push back on — is the difference between a DPA that protects you and one that works against you.

The Atornee approach

Atornee lets you upload your data processing agreement and get a structured review in minutes. It flags missing clauses required under UK GDPR, highlights one-sided liability terms, and identifies where the agreement deviates from ICO guidance. You're not getting a generic AI summary — you're getting a clause-by-clause breakdown mapped to what UK law actually requires from a DPA. If Atornee identifies issues that need negotiation or legal advice, it tells you clearly rather than pretending everything is fine. It's built for UK businesses that need to move quickly but can't afford to sign something they don't understand.

What you get

A clause-by-clause review of your DPA mapped against UK GDPR Article 28 requirements
Clear identification of missing mandatory provisions — such as sub-processor controls, audit rights, and data deletion obligations
Red flag alerts for liability caps, indemnity imbalances, and vague security obligation language
Plain-English explanations of what each clause means for your business as the controller or processor
Escalation prompts that tell you when a clause needs a solicitor's input before you sign

Before you sign checklist

1
1. Confirm whether you are the controller or processor in this relationship — your obligations differ significantly under UK GDPR
2
2. Check that the DPA identifies the subject matter, duration, nature, and purpose of processing as required by Article 28 UK GDPR
3
3. Verify the agreement restricts the processor from processing data outside your documented instructions
4
4. Review sub-processor provisions — the agreement should require your prior written consent before any sub-processors are engaged
5
5. Check that the processor is obligated to assist you with data subject rights requests, breach notifications, and DPIAs
6
6. Look at the data deletion or return clause — it should specify what happens to your data when the contract ends
7
7. If the processor is based outside the UK or transfers data internationally, confirm there are appropriate transfer mechanisms in place

FAQ

Is a data processing agreement legally required in the UK?

Yes. Under Article 28 of UK GDPR, if you engage a third party to process personal data on your behalf, you must have a written contract in place that sets out specific obligations. This applies whether you are a small business or a large enterprise. The ICO can take enforcement action if you cannot demonstrate you have appropriate processor agreements in place.

What must a UK data processing agreement include?

At minimum, a UK GDPR-compliant DPA must cover: the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, your obligations and rights as controller, restrictions on the processor acting outside your instructions, confidentiality obligations, security measures, sub-processor controls, assistance with data subject rights and breach notifications, and data deletion or return on termination.

What are the biggest red flags in a data processing agreement?

Watch out for: vague security obligations with no reference to specific measures or standards; sub-processor clauses that allow the processor to appoint anyone without notifying you; liability caps that exclude data protection breaches entirely; no obligation to notify you of a breach within 72 hours; data retention clauses that let the processor keep your data indefinitely; and international transfer provisions that don't reference UK-approved transfer mechanisms.

Can I use a supplier's standard DPA or should I negotiate?

You can use a supplier's standard DPA if it genuinely meets UK GDPR requirements — but many don't. Large vendors often use terms that favour them heavily. As the controller, you remain liable for your processor's compliance failures if you haven't done due diligence. It's worth reviewing the terms carefully and pushing back on clauses that leave you exposed, particularly around liability, sub-processors, and breach notification timescales.

When should I get a solicitor to review a data processing agreement?

You should escalate to a solicitor if: the DPA involves high-risk processing such as health data or large-scale profiling; there are significant liability or indemnity provisions you don't understand; the agreement involves international data transfers with complex transfer mechanisms; or you're being asked to sign as a processor and take on obligations that could expose your business to claims from the controller's data subjects. Atornee will flag these situations during review.

Does a DPA need to be a separate document?

No. UK GDPR requires the processing terms to be set out in a contract or other legal act, but this can be incorporated into a broader services agreement rather than a standalone document. What matters is that the required provisions are present and clearly documented, not that they sit in a separate file. That said, a standalone DPA is often cleaner and easier to audit.

Related Atornee Guides

Cheap Contract Solicitor Alternative (UK)

Useful if your DPA review uncovers issues that need broader contract negotiation support.

Cheap Solicitor for NDA (UK)

Relevant when your supplier relationship also requires a confidentiality agreement alongside the DPA.

Atornee Use Cases

See how UK founders and ops teams use Atornee to review supplier and vendor agreements.

External References

ICO Guidance for Organisations

The ICO publishes detailed guidance on controller and processor obligations under UK GDPR, including what a compliant DPA must contain.

UK Legislation

Primary statutory reference for the Data Protection Act 2018 and UK GDPR as retained in UK law.

GOV.UK Business and Self-employed

Official UK government guidance on business compliance obligations including data protection.

Trust & Verification Policy

Authored By

A

Atornee Editorial Team

UK Data Protection and Contract Research

Reviewed By

C

Compliance Review Desk

UK Business Legal Content QA

Last reviewed on 3/4/2026

"This content is based on analysis of UK GDPR Article 28 requirements, ICO enforcement guidance, and review of common DPA structures used by UK SaaS vendors and service providers. It reflects practical patterns identified across real supplier agreements reviewed by UK businesses."

References & Sources