Skip to content

What Are Common Mistakes in A Data Processing Agreement?

Table of Contents

Data processing agreements are vital and mandatory under the UK General Data Protection Regulation (UK GDPR). The UK GDPR prescribes strict rules around the processing of personal data of living individuals. A data processing agreement must be strictly compliant with the relevant legal rules. However, organisations often make various mistakes when entering these agreements. This article will explore common errors in UK data processing agreements and how to avoid them. 

What Is a Data Processing Agreement?

A data processing agreement is an agreement between data controllers and data processors relating to data processing activities. Its purpose is to set out each party’s obligations for complying with data protection laws when they share personal data, specifically when a controller shares certain personal data with a processor for specific purposes. 

A data controller is an organisation that decides how and why to process personal data. In contrast, a data processor has no control over the personal data. Instead, the processor processes personal data using the controller’s instructions. 

Typically, this relationship applies in customer-to-supplier relationships. For instance, a customer shares staff personal data with a supplier to allow them to deliver their services under a particular commercial agreement. 

Some of the obligations under a data processing agreement include the following:

  • the data controller is obligated to use personal data only by following the controller’s instructions; 
  • obligations to keep personal data secure and confidential; and
  • obligations to delete personal data at the end of the commercial relationship.

What Are Common Mistakes in A Data Processing Agreement?

There are several common mistakes which we often see in data processing agreements. 

Here are some critical mistakes you should avoid when drafting these agreements:

1. The Agreement Does Not Include All Mandatory Terms. 

The UK GDPR prescribes specific terms to include in this type of agreement. Article 28 of the UK GDPR sets out these terms.

Agreements that contain only some of the required terms are not UK GDPR compliant. It is vital to check that your agreement contains all the terms required by law. The law prescribes a long list of terms that must be included at minimum. However, some data processing agreements omit certain mandatory terms. For instance, some fail to address provisions around data sub-processing. 

Understanding the mandatory terms and what you are signing up for is essential. If you are a processor and breach the terms of your data processing agreement, a controller could have various remedies against you. Further, you would also fall short of your legal obligations under the UK GDPR rules. 

2. The Agreement Does Not Specify Which Personal Data Is Processed. 

Your data processing agreements must be tailored and set out the data you are processing to comply with the UK GDPR.

Your agreements must state:

  • information regarding the subject matter of the data processing;
  • the duration of data processing;
  • the nature and purposes of the data processing activities; 
  • the individuals whom you will process personal data about; and 
  • the types of personal data, e.g. names, email addresses, and telephone numbers. 

Using a generic data processing agreement without this specific information will not be compliant. Some data processing agreements fail to state which types of personal data are processed specifically. 

3. The Agreement References Incorrect Laws 

The EU General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Following the UK’s withdrawal from the EU, this law was effectively adopted into UK law, and the transposed law is known as the UK GDPR. The UK Data Protection Act 2018 (DPA 2018) implemented and supplemented the UK GDPR in the UK. 

The EU GDPR and UK GDPR, whilst considerably similar, are nonetheless different laws. The UK’s own data protection law regime may also be changing, with prospective new rules in the pipeline. 

Many UK company data processing agreements still refer to ‘EU GDPR’. However, for UK businesses subject to UK laws, the UK GDPR and the DPA 2018 should be referenced in their data processing agreements. Referring to the EU GDPR means referring to the incorrect regulatory regime. 

For some UK businesses that are also subject to the EU GDPR, their agreements may also need to reference the EU GDPR. However, UK businesses not subject to the EU GDPR rules should be careful and use the correct terminology. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Ensuring that your data processing agreement also refers to the correct laws and regulators is vital. In the UK, this is the UK Information Commissioner’s Office.  

Businesses can need help understanding which legal rules apply to them. If you are still determining whether your business needs to comply with both the UK and EU GDPR, you should seek legal advice. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why Is It Important to Get Data Processing Agreements Right?

These agreements are mandatory under the UK GDPR rules. Failing to comply with the UK GDPR has several consequences. For instance, penalties include enforcement action and fines. 

In addition, compliance with data protection laws is vital to developing trust and fostering good data governance. Companies must invest time in understanding data processing agreements and ensuring their agreements comply with the UK GDPR rules. 

You can work with a data protection lawyer if you require support preparing a UK GDPR-compliant data processing agreement. A data protection lawyer can prepare a contract that complies with legal rules and does not contain the various errors explored above.

Key Takeaways

These types of agreement are mandatory under the UK GDPR and must be drafted carefully and correctly. Your business should ensure that your agreement contains all the required compulsory terms under Article 28 of the UK GDPR. You should also ensure your agreements are specific and correctly specify the personal data processed for each project. Further, you should ensure that your agreement refers to the correct regulatory regime. These are common mistakes companies make in their data processing agreements. 

If you need help with a data processing agreement, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards