Lawyer reviewed templates
Data Processing Agreement for UK Small Businesss
If you run a small business in the UK and you share personal data with a third-party supplier — a payroll provider, a CRM platform, a marketing agency — you almost certainly need a small business data processing agreement UK law requires under UK GDPR. Most small business owners either skip it entirely or copy a generic template that doesn't reflect their actual setup. Both are risky. A data processing agreement (DPA) sets out what your processor can do with the data, how long they hold it, what security measures they apply, and what happens if something goes wrong. The ICO can and does investigate small businesses. A missing or inadequate DPA is one of the first things they look for. Atornee lets you draft a DPA that's specific to your business relationship — not a one-size-fits-all document — without paying solicitor rates for a straightforward agreement. You answer questions about your setup, Atornee drafts the document, and you can review or adjust it before sending. If your situation is complex — cross-border transfers, sensitive data categories, high-volume processing — we'll tell you when to bring in a solicitor.
Why this matters
The Atornee approach
What you get
Before you sign checklist
FAQ
Do small businesses in the UK actually need a data processing agreement?
Yes. UK GDPR Article 28 requires a written contract between a controller and any processor handling personal data on their behalf. This applies regardless of business size. If you use a payroll provider, a cloud CRM, or an outsourced IT support company, you need a DPA in place. The ICO does not exempt small businesses from this requirement.
What's the difference between a data processing agreement and a privacy policy?
A privacy policy is a public-facing document that tells your customers and website visitors how you use their data. A data processing agreement is a private contract between you (the controller) and a third party (the processor) who handles data on your behalf. You need both, but they serve completely different purposes. A DPA is not published — it's signed and stored.
Can I use a free template for a data processing agreement?
You can, but most free templates are either too generic to be meaningful or based on EU GDPR rather than UK GDPR post-Brexit. A DPA needs to reflect your actual data flows, your specific processor, and the correct legal framework. A template that doesn't match your situation gives you a false sense of compliance. Atornee drafts around your specifics rather than giving you a blank form to fill in.
What happens if I don't have a data processing agreement in place?
You're in breach of UK GDPR Article 28. If the ICO investigates — following a data breach, a complaint, or a routine audit — a missing DPA is one of the first things they check. Fines for UK GDPR breaches can reach £17.5 million or 4% of global annual turnover, whichever is higher. For small businesses, even a lower-tier fine or a formal reprimand can be damaging. It's a straightforward document to have in place.
Does my DPA need to cover sub-processors?
Yes, if your processor uses sub-processors — for example, your payroll provider uses a cloud hosting company — your DPA should address this. Under UK GDPR, processors must get your authorisation before engaging sub-processors, and they must impose equivalent obligations on them. Your DPA should either list approved sub-processors or set out a process for notifying you when new ones are added.
When should I get a solicitor involved instead of using Atornee?
Use a solicitor if you're processing special category data at scale (health, biometric, criminal records), if you're transferring data internationally and need a transfer impact assessment, or if your processor is pushing back on terms and you're negotiating a complex agreement. For a standard DPA covering routine processing — a marketing platform, an accountant, a cloud tool — Atornee gives you a solid, compliant draft without the cost.
Related Atornee Guides
Cheap Contract Solicitor Alternative (UK)
Compare broader contract workflow options for small businesses managing multiple supplier agreements.
Cheap Solicitor for NDA (UK)
If confidentiality is also a concern alongside data processing, pair your DPA with an NDA.
Atornee Use Cases
See how UK founders and operators use Atornee across different contract and compliance workflows.
External References
ICO Guidance for Organisations
The UK data protection authority's official guidance on Article 28 obligations and data processing agreements.
UK Legislation
Primary statutory reference for UK GDPR and the Data Protection Act 2018.
GOV.UK Business and Self-employed
Official UK government guidance on business compliance obligations including data protection.
Trust & Verification Policy
Authored By
Atornee Editorial Team
UK Data Protection and Contract Research
Reviewed By
Compliance Review Desk
UK Business Legal Content QA
"This content is based on analysis of UK GDPR Article 28 requirements, ICO enforcement guidance, and common data processing scenarios faced by UK small businesses. It reflects practical patterns observed across supplier contracts, SaaS agreements, and outsourced service relationships in the UK market."
References & Sources
Ready to generate your document?
Review, edit, and export your legal document in minutes. Stop wasting time reading templates from 2010.
Draft My Data Processing Agreement- No hidden fees
- Instant PDF/Word Export
- Lawyer Reviewed Templates
By continuing, you agree to our Terms. This is AI-generated guidance, not legal advice.