How to Use This Checklist
Click each checkbox to mark items as complete. Your progress is automatically saved to your browser. Use this checklist to:
✅ Three Ways to Use This Tool
1. Audit existing DPAs: Review your current Data Processing Agreement against all 64 UK GDPR Article 28 compliance points
2. Draft new DPAs: Ensure you don't miss any essential controller-processor requirements
3. Compare with legal drafts: Verify your DPA covers everything required by UK data protection law
⚠️ When Do You Need a Data Processing Agreement?
📄 Legal Requirement: A DPA is MANDATORY under UK GDPR Article 28 whenever you engage a third party to process personal data on your behalf
🔧 Common Scenarios: Cloud hosting providers, email marketing platforms, payroll processors, IT support services, CRM systems, analytics tools
⚖️ Controller vs Processor: You're the Controller (determines purposes/means of processing). The service provider is the Processor (processes on your instructions)
💷 Penalties for Non-Compliance: Processing without a valid DPA can result in ICO fines up to £17.5M or 4% of global turnover
⚠️ Understanding Importance Levels
🔴 Critical: Must have - UK GDPR Article 28 mandatory requirements. Omission creates serious legal risk and ICO enforcement action
🟡 Important: Should have - strongly recommended for proper compliance and demonstrating accountability
🔵 Recommended: Best practice - enhances legal protection and shows comprehensive data protection governance
1. Definitions & Interpretation (5 items)
Controller and Processor Identified
Clearly identifies who is the Controller (determines purposes/means) and who is the Processor (processes on Controller's instructions). Required by UK GDPR Article 28(3). Essential for establishing legal roles and responsibilities.
🔴 Critical
Key UK GDPR Terms Defined
Defines essential terms: Personal Data, Processing, Data Subject, UK GDPR, Data Protection Laws, Sub-processor. Ensures both parties understand technical terminology. Prevents disputes over interpretation.
🔴 Critical
Principal Agreement Referenced
References the underlying service agreement that the DPA supplements (e.g., Master Services Agreement, SaaS Agreement). Shows DPA doesn't stand alone. Links data processing obligations to commercial contract.
🟡 Important
Interpretation Clause
Explains how to interpret headings, singular/plural, statutory references. Standard contract interpretation rules. Reduces ambiguity in legal construction.
🔵 Recommended
Effective Date Stated
Clear commencement date showing when DPA obligations begin. Essential for audit trail. Demonstrates when Article 28 compliance commenced.
🟡 Important
2. Nature & Purpose of Processing (3 items)
⚠️ UK GDPR Article 28(3) Requirement
UK GDPR Article 28(3) requires you to specify: (1) subject matter of processing, (2) duration, (3) nature and purpose of processing, (4) type of personal data, and (5) categories of data subjects. Vague descriptions like "business operations" are insufficient and constitute a compliance breach.
Subject Matter & Purpose Described
Clearly describes what the Processor will do with personal data and why (e.g., "email marketing service provision", "cloud hosting", "payroll processing"). Required by UK GDPR Article 28(3)(a). Shows legitimate business need.
🔴 Critical
Duration of Processing Specified
States how long processing will occur: duration of Principal Agreement, specific time period, or "until termination". Required transparency under Article 28(3). Sets temporal scope of processor obligations.
🔴 Critical
Nature of Processing Activities
Describes what operations will be performed: collection, storage, organization, structuring, retrieval, consultation, use, disclosure, deletion. Shows comprehensive understanding of processing scope.
🟡 Important
3. Types of Personal Data (3 items)
Personal Data Categories Listed
Lists specific categories of personal data to be processed: contact details, financial data, employment information, transaction history, technical data (IP addresses), etc. Required by Article 28(3). Be specific, not vague.
🔴 Critical
Data Subject Categories Identified
Identifies whose data will be processed: customers, employees, suppliers, website visitors, job applicants, etc. Required disclosure under Article 28(3). Shows scope of affected individuals.
🔴 Critical
Special Category Data (if applicable)
If processing special category data (health, race, religion, biometrics, etc.), this MUST be explicitly stated with additional safeguards. Article 9 UK GDPR requires heightened protection. Higher risk requires specific authorization.
🔴 Critical
4. Processor Obligations (6 items)
⚠️ Core Article 28(3) Requirements
UK GDPR Article 28(3) mandates that Processors: (1) only process on documented instructions, (2) ensure personnel confidentiality, (3) implement appropriate security, (4) respect sub-processing rules, (5) assist with data subject rights, (6) assist with security and breach obligations, (7) delete/return data post-termination, (8) make information available for audits.
Process Only on Documented Instructions
Processor commits to process personal data ONLY on documented written instructions from Controller. Cannot use data for own purposes. Article 28(3)(a) fundamental requirement. Prevents unauthorized processing.
🔴 Critical
Personnel Confidentiality Obligations
Processor ensures all personnel with access to personal data are bound by confidentiality obligations. Article 28(3)(b) requirement. Prevents unauthorized disclosure by employees/contractors.
🔴 Critical
Notification of Unlawful Instructions
Processor must immediately inform Controller if instructions would violate UK GDPR or Data Protection Act 2018. Article 28(3)(a) obligation. Protects Controller from inadvertent non-compliance.
🔴 Critical
No Data Transfer to Third Countries Without Authorization
Processor cannot transfer personal data outside UK/EEA without explicit Controller authorization and appropriate safeguards. Article 28(3)(a) read with Chapter V. Prevents unauthorized international transfers.
🔴 Critical
Records of Processing Activities
Processor maintains records of all processing activities carried out on behalf of Controller. Article 30(2) requirement. Essential for demonstrating accountability and audit trail.
🟡 Important
Cooperation with Controller
Processor commits to cooperating with Controller in meeting UK GDPR obligations: impact assessments, ICO consultations, compliance monitoring. Shows collaborative accountability approach.
🟡 Important
5. Sub-Processors (4 items)
Controller Authorization Required
Processor cannot engage sub-processors without prior specific or general written authorization from Controller. Article 28(2) fundamental requirement. Controller retains control over data processing chain.
🔴 Critical
Sub-Processor Notification Procedure
If general authorization given, Processor must inform Controller of changes to sub-processors with reasonable notice period. Controller has right to object. Article 28(2) transparency requirement.
🔴 Critical
Sub-Processor Same Obligations
Processor imposes same data protection obligations on sub-processors via written contract. Article 28(4) flow-down requirement. Ensures consistent protection throughout processing chain.
🔴 Critical
Processor Remains Liable
Processor remains fully liable to Controller for sub-processor's failure to meet obligations. Article 28(4) accountability principle. Controller not prejudiced by sub-processing arrangements.
🔴 Critical
⚡
Limited Time Only
Get All 64 Points Pre-Completed
Our professionally-drafted Data Processing Agreement covers every UK GDPR Article 28 compliance point automatically
Only £10 - Limited Time Offer
Lock In Lifetime Access Now
→
Buy now to lock in this price • Lifetime updates included • No subscription ever
6. Security Measures (5 items)
Appropriate Technical and Organizational Measures
Processor implements appropriate technical and organizational security measures considering state of the art, costs, nature/scope/context/purposes of processing, and risk. Article 28(3)(c) and Article 32 requirement. Core security obligation.
🔴 Critical
Specific Security Measures Listed
Lists specific security measures: encryption (in transit and at rest), access controls, pseudonymization where appropriate, regular security testing, incident response procedures, staff training. Article 32 examples.
🟡 Important
Regular Security Assessments
Processor commits to regular testing, assessment, and evaluation of security measures' effectiveness. Article 32(1)(d) requirement. Demonstrates ongoing security vigilance.
🟡 Important
Security Documentation Available
Processor makes information about security measures available to Controller for compliance verification. Article 28(3)(h) transparency. Enables Controller to demonstrate accountability.
🟡 Important
Security Incident Response Plan
Processor maintains documented incident response procedures for detecting, investigating, and responding to security events. Best practice for Article 32 compliance. Shows preparedness for breach scenarios.
🔵 Recommended
7. Assisting with Data Subject Rights (3 items)
Assistance with Rights Requests
Processor assists Controller in responding to data subject rights requests: access, rectification, erasure, restriction, portability, objection. Article 28(3)(e) requirement. Essential for Controller's compliance with Chapter III rights.
🔴 Critical
Response Timeframe for Assistance
Specifies reasonable timeframe for Processor to assist with rights requests (typically within 5-10 business days to allow Controller to meet 1-month deadline). Shows practical commitment to assistance obligation.
🟡 Important
Direct Requests to Controller
If Processor receives direct request from data subject, Processor redirects to Controller without undue delay. Maintains proper controller-processor roles. Prevents confusion over responsibility.
🟡 Important
8. Personal Data Breaches (4 items)
Immediate Breach Notification
Processor notifies Controller without undue delay (typically within 24-48 hours) upon becoming aware of personal data breach. Article 28(3)(f) and Article 33 requirement. Critical for Controller to meet 72-hour ICO notification deadline.
🔴 Critical
Breach Information Requirements
Notification includes: nature of breach, categories/numbers of data subjects and records affected, likely consequences, measures taken/proposed to address breach. Article 33(3) required details. Enables Controller assessment.
🔴 Critical
Breach Contact Point
Processor designates specific contact point for breach notifications available 24/7. Shows operational readiness. Ensures no delay in critical communications.
🟡 Important
Breach Documentation
Processor documents all breaches including facts, effects, and remedial action taken. Article 33(5) requirement. Essential for demonstrating accountability and learning from incidents.
🟡 Important
9. Data Protection Impact Assessments (2 items)
Assistance with DPIAs
Processor assists Controller with Data Protection Impact Assessments when required under Article 35. Article 28(3)(f) obligation. Processor has relevant technical knowledge to contribute.
🔴 Critical
Prior Consultation Support
Processor assists if Controller must consult ICO prior to processing under Article 36. Provides necessary technical/organizational information. Shows comprehensive cooperation commitment.
🟡 Important
10. Audits & Inspections (4 items)
Controller Audit Rights
Controller has right to audit Processor's compliance with DPA obligations. Article 28(3)(h) fundamental requirement. Essential for Controller to demonstrate accountability and oversee processing.
🔴 Critical
Audit Frequency and Notice
Specifies reasonable audit frequency (e.g., annually, or as needed if breach/complaint occurs) and advance notice period (e.g., 30 days). Balances oversight with operational practicality.
🟡 Important
Information Access for Audits
Processor makes available all information necessary to demonstrate compliance. Article 28(3)(h) transparency. Includes policies, procedures, logs, security documentation.
🟡 Important
Third-Party Auditor Option
Controller may appoint independent third-party auditors. Recognizes Controller may lack internal audit resources. Standard in commercial DPAs for larger organizations.
🔵 Recommended
11. International Transfers (3 items)
Transfer Restrictions
Processor cannot transfer personal data outside UK/EEA without Controller's prior authorization and appropriate Article 46 safeguards. Chapter V requirement. Controller retains control over international data flows.
🔴 Critical
Transfer Mechanisms Specified
If transfers occur, specify mechanism: UK adequacy decision, International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), binding corporate rules, or other Article 46 safeguard. Required Chapter V compliance.
🔴 Critical
Sub-Processor Transfer Obligations
Same transfer restrictions and safeguards apply to sub-processors. Ensures consistent protection throughout processing chain regardless of geographic location.
🟡 Important
12. Return & Deletion of Data (4 items)
Deletion Upon Termination
Upon termination of services, Processor deletes or returns all personal data to Controller and deletes existing copies (unless required by law to retain). Article 28(3)(g) requirement. Ensures data doesn't persist unnecessarily.
🔴 Critical
Controller's Choice
Controller specifies whether data should be returned (in common format) or deleted. Gives Controller flexibility based on ongoing needs. Standard commercial practice.
🟡 Important
Timeframe for Return/Deletion
Specifies reasonable timeframe (e.g., within 30 days of termination) for return/deletion. Provides clarity and ensures prompt action.
🟡 Important
Certification of Deletion
Processor provides written certification that all personal data has been deleted or returned. Demonstrates compliance and provides audit evidence.
🔵 Recommended
13. Liability & Indemnification (3 items)
Processor Liability for Breaches
Processor liable for damages caused by processing that violates UK GDPR or fails to comply with lawful Controller instructions. Article 82 establishes liability framework. Essential for enforcement.
🔴 Critical
Indemnification Provisions
Processor indemnifies Controller for losses arising from Processor's breach of DPA, including ICO fines, compensation claims, legal costs. Standard commercial protection for Controller.
🟡 Important
Limitation of Liability
May reference liability caps in Principal Agreement, but note UK GDPR liabilities cannot be completely excluded. Balances commercial practicality with legal requirements.
🔵 Recommended
14. Term & Termination (3 items)
DPA Term
States DPA remains in force for duration of Principal Agreement or until all personal data deleted. Aligns DPA lifecycle with processing relationship. Prevents gaps in protection.
🟡 Important
Termination for Breach
Controller may terminate DPA immediately if Processor commits material breach of data protection obligations. Protects Controller from continuing non-compliant relationship.
🟡 Important
Survival of Obligations
Certain obligations survive termination: confidentiality, data deletion, audit rights for terminated period, indemnification. Ensures complete compliance even post-relationship.
🔵 Recommended
⚡
Limited Time Pricing
Get Your Compliant DPA Now
Why check 64 boxes when you can have a professional, UK GDPR Article 28-compliant Data Processing Agreement ready in minutes?
Just £10 - Lock In This Price Today
Secure Lifetime Access Now
→
Limited time offer • Buy now for lifetime updates • Price may increase
15. General Provisions (6 items)
Notices Procedure
Specifies how notices must be given: writing, delivery methods (email, post, hand delivery), deemed receipt times. Ensures effective communication between parties.
🟡 Important
Amendment Procedure
Changes to DPA must be in writing and signed by both parties. Prevents unilateral modifications. Standard contract protection.
🟡 Important
Entire Agreement Clause
DPA (together with Principal Agreement) constitutes entire agreement on data processing, superseding prior agreements. Prevents disputes over contradictory terms.
🔵 Recommended
Severability
If any provision invalid/unenforceable, remaining provisions continue in force. Courts will interpret to give maximum effect. Standard contract resilience clause.
🔵 Recommended
Waiver Provision
Failure to enforce any right doesn't constitute waiver. Party can still enforce later. Protects rights from inadvertent loss.
🔵 Recommended
Counterparts Clause
Agreement may be executed in counterparts, each an original, all together constituting one instrument. Facilitates practical execution.
🔵 Recommended
16. Relationship with Principal Agreement (2 items)
Supplementary Nature
DPA supplements Principal Agreement and doesn't replace or supersede it. Clarifies relationship between contracts. Both remain in effect.
🟡 Important
Conflict Resolution
In event of conflict between DPA and Principal Agreement regarding personal data processing, DPA terms prevail. Ensures data protection requirements take priority.
🟡 Important
17. Governing Law & Jurisdiction (2 items)
Governing Law Specified
States which UK jurisdiction's law governs the DPA: England & Wales, Scotland, or Northern Ireland. Essential for legal certainty and enforcement.
🔴 Critical
Jurisdiction Specified
Parties agree which courts have exclusive jurisdiction to settle disputes. Typically courts of England & Wales, Scotland, or Northern Ireland. Prevents forum shopping.
🔴 Critical
18. Signatures & Execution (2 items)
Signature Blocks for Both Parties
Provides signature blocks for Controller and Processor with spaces for: signature, name, position, date. Essential for contract formation and evidence.
🔴 Critical
Witness Requirements
Includes witness signature sections if required by your jurisdiction or preference. Adds evidentiary weight. Particularly important for significant contracts.
🔵 Recommended
Next Steps
Now that you've reviewed the compliance checklist, you have three options:
✅ Use Our Ready-Made Template (Recommended)
Save hours of legal research and drafting. Our professionally-crafted Data Processing Agreement covers all 64 UK GDPR Article 28 compliance points with legally-sound wording. Available in both Interview Mode (guided questionnaire) and Editor Mode (direct editing) for just £10.
📝 Draft Your Own DPA
Use this checklist as your guide, but remember: getting the legal wording correct is complex. UK GDPR Article 28 requires precise language around processing instructions, security obligations, sub-processor controls, breach notification, and audit rights. Missing a mandatory provision can result in ICO fines up to £17.5M or 4% of global turnover.
⚖️ Book a Legal Consultation
For complex processing arrangements, special category data, or international transfers, consider booking a consultation with our legal professionals for personalized UK GDPR advice tailored to your specific controller-processor relationship.