Data Processing Agreement Review

Article 28 of the UK GDPR requires specific contractual provisions whenever personal data is processed by a processor on behalf of a controller. The DPA you are being asked to sign may comply with Article 28, may go beyond it in ways that impose additional commercial obligations, or may fall short of it in ways that put you in breach.

What to check in a DPA before signing

The points that recur in DPA review are: international transfer mechanisms (which have shifted recently and many DPAs still reference superseded frameworks); sub-processor consent; audit and inspection rights; security measures specificity; and breach notification timelines.

A DPA review is short legal work that prevents long compliance problems.

If a supplier or customer has asked you to sign a DPA, it pays to understand what you are agreeing to before you sign.

Example: a typical scope and fixed fee

For a single DPA review, the typical scope looks like this.

What's included

• Review of the DPA
• Advice on compliance with UK GDPR Article 28 requirements
• A clear written summary with practical recommendations
• A follow-up call or email exchange to discuss the findings

What's outside this scope

• Redrafting the DPA (see Data Processing Agreement)
• Negotiation with the other party beyond the scope described above
• Tax advice

Fixed fee: £350, no VAT.

How I will approach your matter

Once you have instructed me, I will be in touch within one working day. Send me the DPA, and I will check it against the Article 28 requirements and provide a clear written summary with practical recommendations.