If your business uses third-party software or services to process personal data — and almost every business does — you may need a Data Processing Agreement (DPA). Under Article 28 of the UK GDPR, this isn't optional.
In this guide, we explain what a DPA is, when you need one, and what it must contain.
What is a Data Processing Agreement?
A Data Processing Agreement is a legally binding contract between a data controller (you — the business that decides why and how personal data is processed) and a data processor (a third party that processes personal data on your behalf).
Its purpose is to ensure that any third party handling your customers' data does so securely, lawfully, and in line with your instructions — not their own commercial interests.
When do I need a Data Processing Agreement?
You need a DPA whenever you share personal data with a third-party processor. Common examples include:
- Email marketing platforms — Mailchimp, HubSpot, Klaviyo (hold your subscriber lists)
- Cloud hosting and storage — AWS, Google Cloud, DigitalOcean (host your customer data)
- Payment processors — Stripe, PayPal (process customer payment information)
- Analytics tools — Google Analytics (processes visitor IP addresses and behaviour data)
- CRM systems — Salesforce, HubSpot (store customer contact details)
- Accounting software — Xero, QuickBooks (holds financial records with personal data)
- Customer support tools — Zendesk, Intercom (handle customer communications)
✅ Important: Many major processors (Google, Stripe, AWS, Mailchimp) include DPA terms in their standard terms of service or provide a separate DPA to sign. Check whether your existing agreements already cover this.
What must a Data Processing Agreement include?
Article 28(3) of the UK GDPR sets out what a DPA must contain. At a minimum it must specify that the processor will:
- Process personal data only on documented instructions from the controller
- Ensure that authorised staff are bound by confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written authorisation
- Help the controller respond to data subject rights requests
- Delete or return all personal data at the end of the contract
- Provide all information necessary to demonstrate compliance
- Allow for and contribute to audits by the controller
What is the difference between a data controller and a data processor?
This distinction is fundamental to understanding when you need a DPA:
- A data controller determines the purposes and means of processing personal data. If you're a business that holds customer data and decides what to do with it, you're a controller.
- A data processor processes personal data on behalf of a controller, following the controller's instructions. If you use Mailchimp to send emails on your behalf, Mailchimp is your processor.
You can be a controller and a processor at the same time — for example, if you process data on behalf of your own clients, you're acting as their processor, while also being a controller for your own staff data.
What about sub-processors?
Sub-processors are third parties that a processor engages to help carry out their services. For example, Mailchimp might use AWS to host your email lists. This creates a chain of responsibility.
Under UK GDPR, processors must:
- Get the controller's written authorisation before engaging sub-processors
- Impose the same data protection obligations on sub-processors
- Remain fully liable to the controller for any sub-processor failures
What are the penalties for not having a DPA?
Sharing personal data with a third-party processor without a DPA in place is a direct violation of Article 28 of the UK GDPR. This falls under the lower tier of fines — up to £8.7 million or 2% of global turnover — but can still be significant for a small business.
⚠ Beyond fines, failing to have a DPA means you have no legal basis for sharing customer data with your processor — meaning all that processing may itself be unlawful.
Do I need a DPA with Google Analytics?
Yes. Google Analytics processes personal data (IP addresses, device information, browsing behaviour) on your behalf. Google provides a DPA as part of its terms of service — but you need to ensure you've accepted it and configured Google Analytics correctly (including IP anonymisation).
How do I get a Data Processing Agreement?
There are three ways to get a DPA in place:
- Check your existing contracts — many major processors include DPA terms in their standard terms of service. Review the data processing terms in your existing agreements.
- Request a DPA from your processor — most reputable processors will have a standard DPA they can provide or sign.
- Generate your own — for processors that don't provide one, you can generate a DPA using DataShark that covers all the Article 28 requirements for your specific business and processors.
Summary
If your business uses any third-party software that handles personal data — which virtually all businesses do — you need Data Processing Agreements in place with those processors. Check whether your existing contracts already include DPA terms, and generate your own for any processors that don't provide one.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →