1-2 hoursMedium

How to Create a Data Processing Agreement

Create a data processing agreement by specifying the subject matter and duration of processing, the types of personal data, categories of data subjects, the processor's obligations (security, sub-processors, breach notification), and the controller's instructions.

Last updated: February 2025

Step-by-Step Guide

1

Identify the processing activities

Map out what personal data the processor will handle, the purposes, categories of data subjects, and the expected duration of processing.

Tips
  • Be specific about what data is shared and why.
2

Include mandatory Article 28 clauses

UK GDPR Article 28(3) requires specific clauses on processing only on instructions, confidentiality, security measures, sub-processors, data subject rights assistance, deletion or return of data, and audit rights.

Tips
  • Use the ICO's template DPA clauses as a starting point.
3

Address sub-processors and international transfers

Specify whether the processor may use sub-processors, the authorisation process, and how international data transfers are safeguarded.

Tips
  • Require the processor to impose equivalent obligations on sub-processors.
4

Set breach notification and audit provisions

Require the processor to notify the controller of personal data breaches without undue delay and to cooperate with audits.

Tips
  • Specify a breach notification timeframe (e.g. 24 or 48 hours).

Legal Requirements

Article 28 of UK GDPR requires a written contract between controller and processor that sets out the subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the controller's obligations and rights. The agreement must include specific provisions on security, sub-processing, breach notification, and audit rights.

Common Mistakes

Using a generic DPA that does not reflect the actual processing activities
Not addressing international data transfers when the processor uses cloud services hosted outside the UK
Failing to require breach notification within a specific timeframe

Template / Example

Data Processing Agreement: The Processor shall process personal data only on documented instructions from the Controller. Processing: [description]. Data types: [types]. Data subjects: [categories]. Duration: [period]. The Processor shall implement appropriate technical and organisational security measures.

When to Get a Solicitor

If processing involves special category data, large-scale processing, international transfers to countries without adequacy decisions, or if you are a processor negotiating terms with a large controller.

FAQ

Who needs a data processing agreement?

A DPA is required whenever a controller engages a processor to handle personal data on its behalf. Common examples include using cloud hosting, email marketing platforms, payroll providers, and CRM systems.

Can I use the ICO's standard DPA clauses?

Yes. The ICO provides template controller-to-processor clauses that comply with Article 28. You should tailor them to reflect the specific processing activities in your arrangement.

Related Guides

How to Write a Privacy Policy

1-2 hoursMedium

How to Add GDPR Clauses to Contracts

1-2 hoursMedium

Let AccountsOS handle this for you

Our AI generates UK-compliant contracts and guides you through every step. From £10/month.

Get Started Free

This is guidance, not legal advice. Consult a solicitor for complex matters.

View all how-to guides