Supplier Due Diligence: Are Your Third-Party DPAs Up to Scratch?

Article 28 of UK GDPR is unambiguous: where a controller engages a processor to handle personal data on its behalf, there must be a binding written contract (commonly called a Data Processing Agreement or DPA) that sets out the subject matter, duration, nature, and purpose of the processing. Despite this requirement being in force since May 2018, supplier DPA compliance remains one of the most common gaps we see in UK organisations.

Who Counts as a Data Processor?

A data processor is any organisation that processes personal data on behalf of a controller, following the controller's instructions. Common examples include:

• Cloud software providers (HR systems, CRM, email platforms)
• Payroll bureaux
• IT managed service providers
• Marketing agencies handling customer data
• Call centre or outsourced customer service providers
• Document shredding and destruction companies
• NHS suppliers with access to patient data

Importantly, if a supplier makes independent decisions about how to use personal data — for example, a law firm providing legal advice — they may be an independent controller rather than a processor, and Article 28 DPA requirements would not apply. However, where a supplier processes data strictly to your instructions, you need a DPA.

What Must a UK GDPR-Compliant DPA Include?

Article 28(3) sets out the mandatory content of a Data Processing Agreement. It must stipulate that the processor:

• Only processes data on documented instructions from the controller
• Ensures persons authorised to process the data are bound by confidentiality
• Takes all measures required by Article 32 (security of processing)
• Respects the conditions for engaging sub-processors (sub-processing)
• Assists the controller with data subject rights requests
• Assists the controller with security, breach notification, DPIAs, and prior consultation obligations
• At the end of the service, deletes or returns all personal data
• Makes available all information necessary for the controller to demonstrate compliance

Why Many Existing DPAs Are Non-Compliant

Many DPAs signed around the time of the original GDPR implementation in 2018 are now out of date. Common problems include:

• References to EU GDPR rather than UK GDPR — following Brexit, UK organisations need agreements referencing UK law
• No sub-processor approval mechanism — many early DPAs simply listed sub-processors rather than establishing an approval process
• No provision for DPIAs or prior consultation assistance
• Vague or absent data deletion provisions
• No international transfer safeguards for processors based outside the UK

How to Audit and Remediate Your Supplier Register

Step 1: Build your processor register. List every supplier who processes personal data on your behalf. Cross-reference your ROPA (Record of Processing Activities), your IT asset register, and your procurement records.

Step 2: Assess each DPA. For each processor, check whether a DPA exists, whether it contains the mandatory Article 28(3) provisions, and whether it references UK GDPR (not just EU GDPR).

Step 3: Prioritise. Focus first on processors handling sensitive personal data, large volumes of data, or health and financial information. These represent the highest risk.

Step 4: Request updated agreements. Most reputable software and service providers will have a standard DPA or data processing addendum. Request it. For smaller suppliers, you may need to issue your own standard DPA for signature.