Atornee
Get Started Free
Generate Data Processing Agreement Now

Lawyer reviewed templates

how to draft a data processing agreement uk

How to Draft a Data Processing Agreement in the UK

If you need to know how to draft a data processing agreement in the UK, you're likely sharing personal data with a supplier, contractor, or SaaS tool — and UK GDPR requires you to have a written contract in place before that happens. A data processing agreement (DPA) sets out what data is being processed, why, how it must be handled, and what happens if something goes wrong. Without one, both you and your processor are exposed to ICO enforcement action and potential fines. This guide walks through every clause you need to include, what UK GDPR Article 28 actually requires, and where founders typically get it wrong. It's written for UK businesses — not US templates, not generic GDPR advice. Whether you're onboarding a payroll provider, a marketing agency, or a cloud storage tool, the same core structure applies. You don't need a solicitor for a standard DPA, but you do need to get the substance right.

Generate Data Processing Agreement Now
Instant Access
Lawyer Reviewed

Why this matters

Most UK founders only think about a data processing agreement when a supplier asks for one — or when they realise they've been sharing customer data with a third party for months without any written terms. The problem isn't just legal exposure. It's that generic templates pulled from the internet often miss UK-specific requirements, use outdated GDPR language, or leave out critical clauses around sub-processors and breach notification. Getting this wrong isn't a technicality — the ICO has issued enforcement notices to businesses of all sizes for failing to have adequate controller-processor contracts in place.

The Atornee approach

Atornee lets you generate a UK-compliant data processing agreement in minutes, built around UK GDPR Article 28 requirements rather than a generic EU template. You answer plain-English questions about your processing activities, the types of data involved, and your processor's role — and Atornee produces a structured DPA you can review, edit, and send. It's not a one-size-fits-all download. It's a document shaped to your actual situation. If your setup is complex — multiple sub-processors, international transfers, sensitive data categories — Atornee flags where you should get a solicitor involved rather than pretending the document covers everything.

What you get

A UK GDPR Article 28-compliant DPA structure covering all mandatory clauses, including subject matter, duration, nature and purpose of processing, and data subject rights obligations.
Clear sub-processor provisions so you can lawfully authorise third-party tools your processor uses without creating a compliance gap.
Breach notification and security obligations drafted to align with ICO expectations, not just minimum statutory wording.
Deletion and return of data clauses that actually specify what happens to personal data when the contract ends.
Plain-English guidance on where your DPA intersects with international transfer mechanisms, so you know when a separate addendum is needed.

Before you sign checklist

1
1. Identify every third party that processes personal data on your behalf — payroll, CRM, email tools, analytics platforms, support software.
2
2. Confirm whether each relationship is controller-processor or controller-controller, as a DPA only applies to the former.
3
3. Map the categories of personal data being shared and the specific purposes for which the processor handles it.
4
4. Check whether the processor uses any sub-processors and whether your DPA needs to authorise them specifically or generally.
5
5. Confirm where data is stored and processed — if outside the UK, you may need a UK International Data Transfer Agreement (IDTA) or addendum.
6
6. Generate your DPA using Atornee, review the output against your actual processing activities, and adjust any clauses that don't fit.
7
7. Get both parties to sign before any personal data is transferred, and store a copy with your records of processing activities (ROPA).

FAQ

Is a data processing agreement legally required in the UK?

Yes. UK GDPR Article 28 requires that any processing carried out by a processor on behalf of a controller is governed by a binding written contract. This applies regardless of business size. If you're sharing personal data with a supplier or tool that processes it on your instructions, you need a DPA in place before processing starts.

What must a UK data processing agreement include?

Under UK GDPR Article 28(3), a DPA must cover: the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the controller's obligations and rights. It must also require the processor to only act on documented instructions, ensure confidentiality, implement appropriate security measures, assist with data subject rights, support breach notification, delete or return data at contract end, and provide audit assistance.

Can I use a US or EU GDPR template for a UK DPA?

Not without modification. The UK left the EU's GDPR framework and now operates under UK GDPR, which is largely similar but has diverged in some areas — particularly around international transfers, where the UK uses its own IDTA mechanism rather than EU Standard Contractual Clauses. A template drafted purely for EU GDPR may reference the wrong legal basis, wrong supervisory authority, or wrong transfer mechanisms. Always use a UK-specific template.

Do I need a DPA with every SaaS tool I use?

If the tool processes personal data on your behalf — even just storing customer email addresses — then yes, technically you need a DPA. Most reputable SaaS providers include a DPA in their terms or offer one on request. Check their privacy or legal documentation first. If they don't offer one and they're handling significant personal data, that's a red flag worth escalating.

What happens if I don't have a data processing agreement in place?

You're in breach of UK GDPR, which can result in ICO enforcement action, fines, and reputational damage. The ICO has the power to issue fines of up to £17.5 million or 4% of global annual turnover for serious infringements. In practice, smaller businesses are more likely to receive warnings or enforcement notices first, but the absence of a DPA is a clear compliance failure that the ICO takes seriously.

When should I get a solicitor to review my DPA instead of using a template?

Use a solicitor if you're processing special category data (health, biometric, financial), if you're dealing with large volumes of data subjects, if the processor is based outside the UK and you need to layer in transfer mechanisms, or if the commercial relationship is high-value and the liability provisions need negotiating. For standard supplier relationships — payroll, email marketing, CRM — a well-drafted template is usually sufficient.

Related Atornee Guides

Cheap Contract Solicitor Alternative (UK)

Useful if you need broader contract support beyond just the DPA, without full solicitor fees.

Cheap Solicitor for NDA (UK)

If confidentiality obligations sit alongside your data processing arrangement, pair your DPA with an NDA.

Atornee Use Cases

See how UK founders in different roles use Atornee to manage supplier contracts and compliance documents.

External References

ICO Guidance for Organisations

The ICO is the UK's data protection authority. Their guidance on controller-processor relationships and Article 28 contracts is the primary reference for DPA compliance.

UK Legislation

Primary statutory source for UK GDPR and the Data Protection Act 2018, which together govern data processing agreements in the UK.

GOV.UK Business and Self-employed

Official UK government guidance on business obligations, including data protection responsibilities for UK businesses.

Trust & Verification Policy

Authored By

A

Atornee Editorial Team

UK Data Protection and Contract Research

Reviewed By

C

Compliance Review Desk

UK Business Legal Content QA

Last reviewed on 3/4/2026

"This content is based on analysis of UK GDPR Article 28 requirements, ICO enforcement guidance, and common DPA drafting patterns across UK SME supplier relationships. It reflects practical patterns observed in controller-processor contracting for UK businesses of varying sizes and sectors."

References & Sources