Data Processing Agreement

A DPA is the standard contract that documents a controller-to-processor relationship under Article 28. It is required, and the required content is largely prescribed. But the drafting still has room to allocate commercial risk between the parties.

Where DPA drafting matters

The points where drafting matters are: the precise scope of processing (what, why, for how long); audit and inspection mechanics (which can be expensive if drafted broadly); sub-processor arrangements; international transfers (using an appropriate transfer mechanism); breach notification timelines and content; and termination assistance.

A good DPA is compliant with Article 28 and reflects a sensible commercial allocation of the obligations and costs of compliance. Off-the-shelf templates often do the first part and not the second.

Required wherever you share personal data with a third party that processes it on your behalf, or vice versa.

Example: a typical scope and fixed fee

For a controller-to-processor relationship between two parties, the typical scope looks like this.

What's included

• A consultation to understand the data processing relationship
• Drafting of a DPA compliant with UK GDPR Article 28, covering processing instructions, security measures, sub-processing, breach notification, audit rights, and data deletion
• One round of revisions based on your feedback
• Final version ready to use

What's outside this scope

• Negotiation with the other party beyond the scope described above
• Data sharing agreements between controllers (see Data Sharing Agreement)
• Tax advice

Fixed fee: £495, no VAT.

How I will approach your matter

Once you have instructed me, I will arrange a consultation to understand the data processing relationship before drafting. The DPA will be Article 28 compliant and will reflect a sensible commercial allocation of the compliance obligations between the parties.