Setting Up a Data Processing Agreement (UK)

Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice

Introduction

Data processing agreements are a key element of any business’ data protection strategy. They provide the necessary legal framework that allows companies to process personal information without infringing on the rights of the individual whose data is involved. The Genie AI team understands this importance and why it is absolutely essential for businesses to ensure their data processing agreements are up-to-date and compliant with all applicable data protection regulations.

The agreements set out the terms of how data will be processed by the processor, an organisation responsible for managing this information, and must adhere to UK laws such as the GDPR and Data Protection Act 2018, as well as any additional regional regulations in place. This ensures that businesses protect customer personal data in a secure manner, not sharing it with third parties without permission from those individuals. It also means that sensitive data such as medical records or financial details aren’t used beyond what has been specified in the contract - something customers can withdraw their consent from at any time.

What’s more, these agreements also provide protection for organisations themselves by assigning liability if anything goes wrong during processing; for instance if mistakes occur or unauthorised use takes place. This makes sure businesses are held accountable for their actions so customers have assurance that their data is being handled responsibly and with due care and attention.

Lastly, having a valid agreement in place can demonstrate a business’ commitment to protecting customer information - something which could be attractive to current and potential customers alike.

In summary, then - knowing when one needs a Data Processing Agreement (UK) and what it should include is critical knowledge for anyone looking after customer’s private information today; regardless of whether they’re an SME or larger enterprise. Following our step-by-step guidance below is an easy way to ensure your business stays protected whilst adhering fully to all UK laws regarding personal data handling - alternatively you can access Genie AI’s free template library here today!

Definitions

Data Protection Act 2018: A UK law that sets out the rules for how data should be collected, stored, and processed.
General Data Protection Regulation (GDPR): A set of rules that govern the collection and processing of personal data in the European Union.
Health Insurance Portability and Accountability Act (HIPAA): A US law designed to protect the privacy of individuals’ health information.
Payment Card Industry Data Security Standard (PCI DSS): A set of standards for companies that process credit card payments.
Data Controller: An individual or organisation that determines the purpose and means of processing personal data.
Data Processor: An individual or organisation that processes data on behalf of the data controller.
Data Subject: An individual whose data is being collected, stored and processed.
Consent: Permission from the data subject for the data processing.
Contract: A legally binding agreement between two or more parties.
Legal Obligation: An obligation imposed by law.
Vital Interests: An individual’s life or physical safety.
Public Interest: The greater good of the public.
Legitimate Interests: An interest that is legally recognised as valid.
Encryption: The process of transforming data into a form that is unreadable and secure.
Pseudonymisation: The process of replacing personal data with artificial identifiers.
Access Control: Restricting access to data or systems to authorised individuals.
Data Minimisation: The process of limiting the collection and storage of personal data.
Data Retention Policy: A policy that sets out the period of time for which data should be stored.
Timeframe: The period of time specified in an agreement.
Notification: The process of informing people about an event or situation.
Warranties: Promises or guarantees made by one party to another.
Indemnities: A promise to compensate for any losses or damages incurred.

Contents

1. Understanding the legal requirements for data processing agreements in the UK
2. Researching applicable laws and regulations
3. Defining the roles and responsibilities of the data controller and data processor
4. Identifying the parties involved
5. Outlining the roles and responsibilities of each party
6. Specifying the types of data to be processed
7. Identifying the categories of data
8. Specific types of data to be collected, stored and processed
9. Identifying the purpose of the data processing
10. Outlining the purpose of the processing
11. Establishing the legal basis for the data processing
12. Establishing mechanisms for data security and privacy
13. Defining the measures to be taken to protect data
14. Specifying the timeframe for implementation
15. Defining the duration of the data processing agreement
16. Establishing the timeframe for the agreement
17. Outlining the procedure for extending the agreement
18. Outlining the procedure for handling a data breach or complaint
19. Establishing a process for reporting and responding to data breaches or complaints
20. Outlining the procedure for terminating the agreement
21. Establishing the conditions for termination
22. Specifying the timeframe for termination
23. Creating appropriate warranties and indemnities
24. Identifying potential liabilities
25. Establishing warranties and indemnities for each party
26. Drafting a legally binding agreement
27. Identifying the language and format for the agreement
28. Writing and reviewing the contract
29. Signing and executing the agreement

Get started

Understanding the legal requirements for data processing agreements in the UK

• Read up on the General Data Protection Regulation (GDPR) and the Data Protection Act 2018
• Understand the requirements of the GDPR and how it applies to data processing agreements
• Familiarize yourself with the UK’s Data Protection Authority (ICO) and its guidelines for data controllers and data processors
• Understand the roles and responsibilities of data controllers and data processors
• Check if there are any industry-specific guidelines or regulations for data processing agreements
• When you are confident that you understand the legal requirements for data processing agreements in the UK, you can move on to the next step.

Researching applicable laws and regulations

• Familiarize yourself with applicable laws and regulations in the UK that apply to data processing agreements, such as the GDPR and the Data Protection Act 2018.
• Research any other relevant laws or regulations that may apply, such as the Privacy and Electronic Communications Regulations (PECR) or the UK Investigatory Powers Act.
• Read up on best practices for data processing agreements as advised by relevant government authorities or professional organizations.
• When you are confident that you are aware of the relevant laws and best practices, you can move on to the next step of defining the roles and responsibilities of the data controller and data processor.

Defining the roles and responsibilities of the data controller and data processor

• Understand the differences between the data controller and data processor roles and responsibilities
• Document the data controller’s and data processor’s roles and responsibilities in the data processing agreement
• State who is responsible for processing the data, what data is being processed, and how it is being processed
• Ensure the data processing agreement meets all applicable laws and regulations
• Check that all the necessary roles and responsibilities have been included and specified in the agreement
• When complete, all the roles and responsibilities of the data controller and data processor should be clearly outlined in the data processing agreement.

Identifying the parties involved

• Identify the data controller, data processor, and any other relevant parties that will be involved.
• Ensure that all parties are aware of their roles and responsibilities.
• Record the contact details of each party for future reference.
• Once the parties are identified and their roles are made clear, this step can be checked off the list.

Outlining the roles and responsibilities of each party

• Outline the roles and responsibilities of each party in the agreement.
• Make sure each party understands the scope of their responsibility and the limits of their involvement.
• Determine who is responsible for the accuracy and security of the data.
• Specify who is liable in case of data breaches, and what processes are in place to handle any data breach incidents.
• Clarify who is responsible for data destruction when the contract ends.
• Decide who is responsible for ensuring all data processing activities comply with applicable laws and regulations.

Once you’ve outlined the roles and responsibilities of each party, you can move on to the next step, which is specifying the types of data to be processed.

Specifying the types of data to be processed

• Identify the types of data that will be processed, including any special categories of data (e.g. sensitive personal data related to health, religion, race, etc.)
• List out each type of data and provide an explanation of how it will be used
• Note whether the data will be collected from the data subject or from another source
• If the data is collected from another source, specify the source
• Make sure to clearly explain the purpose for processing the data
• Once you have identified and discussed the types of data that will be processed, you can move on to the next step of identifying the categories of data.

Identifying the categories of data

• Determine the categories of data that will be processed under the data processing agreement, such as personal data, financial data, and health data
• Consider if any special categories of data (e.g. criminal records) will be included
• Review the applicable data protection laws to make sure that any categories of data that will be processed are allowed by the applicable law
• Check that the categories of data that will be processed are necessary for the purposes of the agreement
• Once all necessary categories of data have been identified and are compliant with applicable laws, move on to the next step of specifying specific types of data to be collected, stored and processed.

Specific types of data to be collected, stored and processed

• Review the data categories listed in the previous step and determine the specific types of data that will be collected, stored and processed
• Identify any additional data types that have not been previously identified
• Make sure that any additional data types are necessary and relevant to the purpose of the data processing
• Document the specific types of data that will be collected, stored and processed
• Include any relevant details such as the format of the data and the storage location
• When you are done, you’ll have a list of all the specific types of data that will be collected, stored and processed for your data processing agreement. This will help you to identify any potential risks associated with the data processing.

Identifying the purpose of the data processing

• Identify the purpose for which the data is being collected, stored, and processed
• Determine if the purpose requires the processing of sensitive data or other special categories of data
• Make sure that any processing of sensitive data or other special categories of data is only done with the data subject’s explicit consent
• Ensure that the data subject is aware of the purpose for which their data is being collected, stored and processed
• Make sure that the data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is being collected and processed
• Make sure that you can demonstrate that the data is being collected and processed in a way that is necessary, relevant, and proportionate to the intended purpose
• Confirm that the data subject is aware of their rights and how they can exercise them
• When you have identified the purpose of the data processing, you can move on to the next step.

Outlining the purpose of the processing

• List out all of the purposes that you intend to use the data for
• Summarize these listed data processing purposes in the data processing agreement
• Ensure that the agreement accurately reflects the purposes for data processing
• Check that the agreement is in line with the GDPR or any other applicable data protection laws
• When these steps have been completed, you can move on to the next step of establishing the legal basis for the data processing.

Establishing the legal basis for the data processing

• Decide which legal basis you will choose for the processing of data, e.g. consent, contract, legitimate interests
• Identify which of the six lawful bases for processing data applies to the data processing activities covered by the agreement
• Ensure that the legal basis for the processing is set out clearly in the agreement
• Check that the data processing is necessary for the purposes detailed in the agreement
• When satisfied that you have established the correct legal basis for the data processing, add it to the agreement
• Check off this step and move on to the next, Establishing mechanisms for data security and privacy

Establishing mechanisms for data security and privacy

• Establish clear security protocols for the data processor and the data controller, including processes and procedures for handling and storing the data
• Outline the access control and authentication measures required to access and process the data
• Define the encryption and network security measures that must be in place to protect the data
• State the processes for data destruction at the end of the agreement
• Agree on the processes for data privacy and compliance with relevant regulations
• Once all of these measures have been agreed upon, the data processing agreement is ready to be signed by both the data controller and the data processor.

Defining the measures to be taken to protect data

• Establish who will be responsible for ensuring data protection, e.g. which department or individual
• Determine the technical, organisational and physical security measures that need to be implemented to protect data
• Identify any potential risks to data and how these can be avoided
• Identify any third-party services that will be used and how data will be protected
• Ensure that all staff assigned to the project understand their duty to protect data
• Agree on the frequency of data security reviews and the methods of conducting them
• Agree on the measures to be taken if data is lost or breached

Once all of the above measures have been established, you can check this off your list and move on to the next step.

Specifying the timeframe for implementation

• Identify a realistic timeline for implementation of the data processing agreement
• Take into account any existing contracts, business processes, and data migration activities that may impact the implementation timeline
• Schedule milestones for implementation of the agreement, and assign responsible parties for each milestone
• Ensure that the timeline and responsible parties are clearly specified in the data processing agreement
• Once the timeline is agreed upon and specified in the agreement, you can move on to the next step of defining the duration of the data processing agreement.

Defining the duration of the data processing agreement

• Discuss the duration of the agreement and decide on a starting and end date for the agreement
• Make sure to consider any additional and relevant terms as it relates to the duration
• Decide on the termination clauses in the agreement and how to handle data after the agreement has ended
• Make sure to include renewal provisions, if applicable
• Once these decisions have been made and the duration has been agreed upon, you can move on to the next step: Establishing the timeframe for the agreement.

Establishing the timeframe for the agreement

• Determine the start date of the arrangement
• Designate a period of time after which the agreement must be reviewed
• Add a section to the data processing agreement that outlines the procedure for extending the agreement
• Sign and date the agreement
• Check off that this step is complete and move on to the next step of outlining the procedure for extending the agreement.

Outlining the procedure for extending the agreement

• Create a process for extending the agreement that includes all parties involved.
• Set a timeline for when the agreement should be reviewed and extended. This can be done on a yearly basis or when significant changes are made to the data processing.
• Determine the process for each party to agree to the extension.
• Outline the procedure for notifying the other party of an intention to extend or terminate the agreement.
• You can check this off your list when all parties have agreed to the extension of the agreement and the timeline for reviews and extensions is established.

Outlining the procedure for handling a data breach or complaint

• Develop a policy outlining the process for handling a data breach or complaint.
• Include how to identify a potential data breach and how to respond to it.
• Outline how to respond to a data subject’s complaint, including how to investigate and resolve it.
• Outline the process for notifying the ICO of any data breaches or complaints.
• Include a process for reporting data breaches or complaints to the data controller.
• When your policy is complete, you can move on to the next step in setting up a data processing agreement.

Establishing a process for reporting and responding to data breaches or complaints

• Decide who is responsible for responding to data breaches and complaints
• Set up a process for reporting and responding to data breaches and complaints
• Inform all data processors and controllers involved of the process
• Ensure appropriate measures are in place for data processors and controllers to respond to data breaches and complaints
• Check that all personnel have the appropriate training and are aware of the process
• When all of the above steps have been taken, check this off your list and move on to the next step.

Outlining the procedure for terminating the agreement

• Set out the conditions for terminating the agreement, including advance notice requirements, the form of notice and the process for resolving any disputes.
• Include details about the consequences of termination, including return of confidential information, return of data and any other obligations that arise on termination.
• Make sure both parties understand the procedure for terminating the agreement, including the notice period and any other requirements.
• Check that you have written a clear termination procedure in the Data Processing Agreement.
• You will have completed this step when you have set out the conditions for termination, outlined the procedure for terminating the agreement, and made sure both parties have understood the termination process.

Establishing the conditions for termination

• Clearly define the circumstances that could lead to the termination of the agreement, such as a breach of the agreement, change of law, or any other reason that could lead to the termination of the agreement.
• Make sure everyone involved in the agreement is aware of the conditions for termination.
• When you have established the conditions for termination, you can move on to the next step of specifying the timeframe for termination.

Specifying the timeframe for termination

• Specify the notice period required for either party to terminate the agreement. Typically, 30 days’ notice is given
• Determine if the agreement should have an automatic renewal clause
• Set out when the agreement will terminate if the parties fail to renew it
• Note whether either party can require the other to provide a written statement confirming the termination of the agreement

Once the timeframe for termination has been specified, you can move on to the next step: creating appropriate warranties and indemnities.

Creating appropriate warranties and indemnities

• Establish warranties and indemnities that address the obligations and liabilities of both parties in the data processing agreement.
• Identify the potential liabilities that both parties may face as a result of any data processing activities.
• Include a warranty that the data processor will observe the data protection principles and all applicable laws.
• Include an indemnity from the data processor to the data controller for any breach of the warranties.
• Make sure that each party’s warranties and indemnities are clear and unambiguous.
• Ensure that all warranties and indemnities are consistent with each other, and that they do not contain any contradictions.

Once you have established the warranties and indemnities, you can check this off your list and move on to the next step - Identifying potential liabilities.

Identifying potential liabilities

• Make sure to identify any potential liabilities that could arise from the data processing activities
• Outline any liabilities that could arise from a breach of your agreement or any related data protection laws
• Consider any potential liabilities that may arise from a third party’s access to the data
• List any potential liabilities that could arise from a data breach, such as a theft or unauthorized access to the data
• Identify any issues that could arise from the data processing activities, such as if the data is inaccurate or contains errors

Once you have identified all the potential liabilities, you can check this step off your list and move on to the next step: Establishing warranties and indemnities for each party.

Establishing warranties and indemnities for each party

• Create a list of warranties and indemnities for each party
• Identify any potential liabilities that should be addressed in the warranties and indemnifications
• Draft clauses for each warranty and indemnity and make sure to include who is responsible for any liabilities
• Make sure that each party is adequately protected from liabilities
• Review the warranties and indemnities carefully and ensure that they are written in a way that is legally binding
• Once the warranties and indemnities are agreed upon, they can be added to the data processing agreement
• You will know that you have completed this step when all warranties and indemnities have been agreed upon and added to the data processing agreement.

Drafting a legally binding agreement

• Draft a legally binding agreement that outlines the terms, conditions and obligations of the data processor and data controller, taking into account the warranties and indemnities that have been established for each party.
• Include provisions that allow the data controller to audit the data processor and ensure that the data processor is adhering to the agreed-upon terms.
• Ensure that the agreement follows the applicable data protection laws in the UK and that the data processor is obligated to comply with them.
• Once the agreement is drafted, review it with a legal professional to ensure that it is legally sound and meets all the necessary requirements.

You’ll know that you’ve completed this step when you have a legally binding agreement that is tailored to the specific data processing arrangement and is compliant with all applicable data protection laws in the UK.

Identifying the language and format for the agreement

• Research and review the requirements for a legally binding Data Processing Agreement (DPA) in the UK
• Consider the language that should be used in the agreement and any specific formatting requirements
• Decide on the language and format to be used in the agreement
• Checklist to ensure all necessary elements are present
• Confirm that all stakeholders understand the requirements and agree to the language and format chosen

Once the language and format for the agreement is identified, you can move on to the next step: Writing and reviewing the contract.

Writing and reviewing the contract

• Create a draft agreement that outlines the data processing activities, the roles and responsibilities of both parties, and any other key terms and conditions
• Ensure that the agreement meets the requirements of the GDPR
• Have each party review and revise the agreement until both parties are agreeable to the terms
• Set up a meeting to go over the agreement and answer any questions
• Have both parties sign the agreement
• Once the agreement is signed, you can move on to the next step of Signing and Executing the Agreement.

Signing and executing the agreement

• Get both parties to sign the data processing agreement.
• Get each party to get a witness to sign the agreement.
• It is important to get each party to keep a signed copy of the agreement for their records.
• Once both parties have signed the agreement, it is legally binding and effective.
• You will know this step is complete when both parties have signed and witnessed the agreement.

FAQ

Q: Is there a difference between a Data Processing Agreement in the UK and the US?

Asked by Mary on March 5th, 2022.
A: Yes, there are certain differences between the UK and US when it comes to Data Processing Agreements. In the US, the Department of Commerce has created Model Clauses, which outline the requirements for data processing agreements between companies and third-party service providers. In contrast, in the UK, the Information Commissioner’s Office (ICO) has created a set of eight principles which must be met in order for a data processing agreement to be valid.

Q: What happens if a company doesn’t have a Data Processing Agreement in place?

Asked by William on April 21st, 2022.
A: If a company fails to have a Data Processing Agreement (DPA) in place, they are at risk of receiving serious penalties from regulators or even from customers or clients. Without a DPA, companies are at risk of violating data protection laws, which can lead to hefty fines or even criminal sanctions. Additionally, if customers or clients are not protected by a DPA then they may take legal action if their data is misused or compromised in any way.

Q: How long does it take to set up a Data Processing Agreement?

Asked by Emma on July 16th, 2022.
A: The time it takes to set up a Data Processing Agreement (DPA) depends on several factors such as the complexity of the agreement and how quickly both parties can come to an agreement. Generally speaking, it could take anywhere from several days to several weeks depending on how quickly both parties can come to an agreement and how much negotiation is necessary.

Q: What happens if there is a breach of contract in a Data Processing Agreement?

Asked by James on September 18th, 2022.
A: If there is a breach of contract in a Data Processing Agreement then both parties are at risk of facing serious penalties from regulators or from customers or clients. Depending on the severity of the breach, companies may face hefty fines or even criminal sanctions if they fail to comply with data protection laws. Additionally, customers or clients may take legal action if their data is misused or compromised in any way due to such breach.

Q: Are there any differences between UK and EU Data Processing Agreements?

Asked by Olivia on October 29th, 2022.
A: Yes, there are certain differences between UK and EU Data Processing Agreements (DPAs). In the UK, DPAs must adhere to the eight principles set out by the Information Commissioner’s Office (ICO), while in Europe they must adhere to the General Data Protection Regulation (GDPR). Additionally, under GDPR companies must provide customers with certain rights such as access to their data as well as the right to be forgotten or erasure rights.

Q: What type of information should be included in a Data Processing Agreement?

Asked by Noah on December 7th, 2022.
A: A Data Processing Agreement should include information such as what type of personal data will be processed; who will process it; how long it will be stored for; what security measures will be taken; where it will be stored; who will have access to it; how it will be transferred; who owns it; and what rights customers have over their data. It should also include details about liabilities and indemnities, as well as any specific requirements for each party involved in the agreement.

Q: Do I need a lawyer to draw up my Data Processing Agreement?

Asked by Abigail on December 21st, 2022.
A: While you do not necessarily need a lawyer to draw up your Data Processing Agreement (DPA), it is highly recommended that you consult with one before signing an agreement. A lawyer can ensure that your DPA meets all legal requirements and that all clauses are fair and legally binding for both parties involved in the agreement. Additionally, they can help you understand any complexities within your DPA and provide advice if needed.

Q: Are there any specific rules for international transfers under a Data Processing Agreement?

Asked by Jacob on January 17th, 2023.
A: Yes, there are certain rules for international transfers under a Data Processing Agreement (DPA). For example, when transferring personal data outside of Europe or between different countries within Europe special rules apply such as obtaining consent from individuals for such transfers or ensuring appropriate safeguards are put in place before transferring any personal data outside of Europe. Additionally, when transferring personal data within Europe between different countries special rules apply such as ensuring appropriate safeguards are put in place before transferring any personal data outside of Europe or obtaining consent from individuals for such transfers within Europe.

Q: How often should I review my Data Processing Agreement?

Asked by Liam on February 9th, 2023.
A: It is important that you review your Data Processing Agreement (DPA) on a regular basis as changes may occur that need to be updated in order for your agreement to remain valid and effective over time. Additionally, it is important to review your DPA at least once every year as new laws may have been introduced that need to be incorporated into your DPA in order for it to remain compliant with current regulations and laws.

Q: Can I use my own standard terms within my Data Processing Agreement?

Asked by Ava on March 13th, 2023.
A: Yes, you can use your own standard terms within your Data Processing Agreement (DPA). However, you should make sure that these terms do not contradict with any existing laws and regulations related to data protection as well as any clauses outlined by either party within the DPA itself. Additionally, you should also ensure that these terms comply with any applicable industry standards related to privacy and data protection before using them within your DPA.

### Q: What steps do I need to take when negotiating my Data Processing Agreement?   Asked by Ethan on April 28th 2023.    A: When negotiating your Data Processing Agreement (DPA) it is important that both parties understand what each party's roles and responsibilities are within the agreement as well as how each party is expected to fulfil those roles and responsibilities over time. Additionally, both parties should discuss what type of information will be processed under the agreement; who will process it; how long it will be stored for; what security measures will be taken; where it will be stored; who will have access to it; how it will be transferred; who owns it; and what rights customers have over their data under such agreement. It is also important that both parties agree upon certain liabilities and indemnities before signing an agreement as well as any specific requirements for each party involved in the agreement so that all parties feel secure when entering into an agreement together

Example dispute

Suing a Company for Non-Compliance with Data Processing Agreements

• Plaintiff might raise a lawsuit if the company is found to not be adhering to its data processing agreement, such as not properly protecting customer data or not providing the agreed upon service.
• The plaintiff might reference relevant legal documents and regulations such as the European Data Protection Regulation (GDPR) when making their case.
• Depending on the severity of the breach, settlement may be reached through a settlement agreement, or the court may award damages to the plaintiff.
• Damages may be calculated based on the financial losses suffered by the plaintiff, or for violations of the GDPR, the court may award a fine of up to €20 million or 4% of the company’s annual global turnover, whichever is higher.

Templates available (free to use)

Data Processing Agreement Combining Supplier Customer Non Personal Data
Data Processing Agreement Combining Supplier Customer Personal Data
Data Processing Agreement Controller Friendly Taylor Vinters
Data Processing Agreement For Personal Data Inside Eea
Data Processing Agreement For Personal Data With Outside Eea Transfer
Data Processing Agreement For Supplier Processing Non Personal Data
Standard Data Processing Agreement Uk Gdpr Dpa Non Eea Data Transfers
Standard Personal Data Processing Agreement For Contracted Service Provider

‍