Back
Newsroom
10 min read

UK GDPR Third-Party Data Processing Requirements

Legal documentation representing UK GDPR Article 28 data processing agreement review.

The starting point: UK GDPR still applies

Following the UK’s departure from the EU, the GDPR was retained in UK law as the UK GDPR, sitting alongside the Data Protection Act 2018. The substantive obligations on controllers and processors under Articles 28 and 29 are materially unchanged from the EU GDPR, with the Information Commissioner’s Office (ICO) as the regulator.

For UK businesses, the practical consequence is that any arrangement where a third party handles personal data on your behalf is a controller-processor relationship under UK GDPR, and it needs to be structured accordingly as part of your broader Third-Party Risk Management approach. The most common scenarios: cloud infrastructure providers, SaaS applications, payroll bureaux, marketing automation platforms, customer support outsourcers, and analytics vendors.

Controller obligations under UK GDPR Article 28

Article 28 of UK GDPR imposes specific duties on a controller before and during any engagement with a processor.

Sufficient guarantees

A controller may only use processors that provide ‘sufficient guarantees’ to implement appropriate technical and organisational measures so that the processing meets UK GDPR requirements. In practice, this is evidenced through due diligence: ISO 27001 certification, SOC 2 reports, Cyber Essentials status, responses to a security questionnaire, and a demonstrable incident history. ‘We trust them because they are a big brand’ is not sufficient guarantee.

Written contract

There must be a written contract or other legal act binding the processor to the controller. Article 28(3) specifies the contents: subject matter, duration, nature and purpose, type of personal data, categories of data subjects, and the obligations and rights of the controller. The contract must also include specific processor commitments:

  • Process only on documented instructions from the controller, including transfers to third countries.
  • Ensure persons authorised to process the data are under confidentiality obligations.
  • Implement appropriate technical and organisational security measures.
  • Only engage sub-processors with prior specific or general written authorisation.
  • Assist the controller in responding to data subject rights requests.
  • Assist with security, breach notification, and Data Protection Impact Assessment obligations.
  • At the end of services, return or delete personal data as the controller chooses.
  • Make available all information necessary to demonstrate compliance, and allow audits.

These clauses are colloquially called a Data Processing Agreement (DPA). UK businesses should treat a DPA as mandatory, not optional, for every processor engagement.

Processor obligations under UK GDPR

If your business acts as a processor for someone else’s personal data, the obligations run the other way:

  1. Act only on documented instructions from the controller.
  2. Maintain a record of processing activities under Article 30(2) if you have 250+ employees, or if processing is not occasional, or if it includes special category data.
  3. Cooperate with the ICO as required.
  4. Implement appropriate security under Article 32.
  5. Notify the controller of personal data breaches without undue delay.
  6. Appoint a Data Protection Officer (DPO) if your core activities require it.

Processor liability under Article 82 is joint and several with the controller for damages arising from a breach, which is why DORA-covered firms take processor incident timelines especially seriously. In other words, a processor cannot hide behind its controller’s instructions when a data subject seeks compensation.

Sub-processors: the layer that causes trouble

Most UK GDPR third-party failures we see in 2026 are not at the primary processor layer. They are at the sub-processor layer. The primary vendor has a clean ISO 27001 scope and a sensible DPA. But the vendor has quietly added three new sub-processors in the last 18 months and none of them are on your authorised list.

Article 28(2) requires processors to obtain prior authorisation before using sub-processors. There are two models:

  • Specific authorisation: the processor names each sub-processor and the controller authorises by name.
  • General authorisation: the processor maintains a list of sub-processors, notifies the controller of changes, and the controller has the right to object.

The general authorisation model is more workable at scale, but it only works if the processor actually maintains and shares the list. When they do not, your UK GDPR position quietly erodes over time.

Practical guidance: for every Tier 1 vendor, request their current sub-processor list at least annually, confirm the DPA requires onward flow-down of UK GDPR obligations to each sub-processor, and maintain your own register as part of your third-party risk assessment process so you can respond to data subject requests about where their data has travelled.

International transfers after the UK-EU split

The UK has its own adequacy and transfer regime. Transfers of personal data from the UK to a third country require a lawful transfer mechanism under Chapter V of UK GDPR. The options are:

  • An adequacy decision by the UK government. The UK recognises adequacy for the EEA countries and a small set of third countries including South Korea, Japan, Canada (commercial organisations), and Israel.
  • The UK International Data Transfer Agreement (IDTA), which replaced the old EU Standard Contractual Clauses for UK transfers.
  • The UK Addendum to the EU SCCs, permitted where the EU SCCs are already in use.
  • Binding Corporate Rules (BCRs) for intra-group transfers.
  • Derogations under Article 49, narrowly interpreted.

The UK-US Data Bridge came into effect on 12 October 2023. It permits transfers from the UK to US organisations that are certified under the UK extension of the EU-US Data Privacy Framework. For UK firms using US-based cloud or SaaS providers, the practical question is whether the specific vendor is certified. If not, an IDTA or UK Addendum to SCCs is needed.

Common failure patterns we see in UK organisations

Four patterns cover most UK GDPR third-party failures:

  • No DPA in place. The vendor has been used for two years, personal data has been processed, and no signed DPA exists. This is a straightforward Article 28 breach.
  • Generic DPA not tailored to the processing. The vendor’s boilerplate DPA references processing categories that do not match what they actually do for you. This matters when something goes wrong and the paperwork is scrutinised.
  • Sub-processor drift. The authorised sub-processor list at contract signing does not match the current sub-processor list, and no one has been notified.
  • Transfer mechanism silence. Data is leaving the UK but no IDTA, UK-US Data Bridge certification, or other mechanism is in place. This is one of the first things the ICO looks at in a breach investigation.

How Logica Security supports UK GDPR third-party compliance

Logica Security’s TPRM service is a fully managed, done-for-you service that includes UK GDPR-specific due diligence end-to-end: DPA review and gap analysis against Article 28, sub-processor register reconciliation, international transfer mapping, and data subject rights response readiness across your processor population. Your team keeps oversight. We handle the work. If you are preparing for an ICO audit, responding to a data subject access request that spans multiple processors, or renegotiating a major vendor contract, we can scope and run the third-party data protection dimension.

What stays with you: deciding which processors are in scope, final risk acceptance decisions, and internal escalations. Everything else is run by our team, with board-ready reporting through the Risk Committee cycle.

A short exploratory call is the fastest way to clarify where your UK GDPR third-party posture is strong, where it leaks, and what the next steps look like.

Key takeaways

  • UK GDPR Article 28 requires a written contract (DPA) with every processor, containing specific mandatory clauses.
  • Controllers remain liable for their processors’ failures and must use due diligence to confirm ‘sufficient guarantees’ before engaging a processor.
  • Sub-processor drift is the most common failure mode. Maintain your own register and reconcile it annually at minimum.
  • International transfers from the UK need a lawful mechanism: adequacy, IDTA, UK-US Data Bridge certification, BCRs, or narrow derogations.
  • A DPA is not a filing exercise. It should describe the actual processing and be reviewed when the processing materially changes.

Related Posts

Structured third-party risk assessment workflow on a desk, showing documentation and analysis materials.
12 min read

How to Conduct a Third-Party Risk Assessment: A UK Guide

Read More
Modern corporate meeting space representing the board-level scope of third-party risk management.
10 min read

What Is TPRM? A Plain-English Guide for UK Businesses

Read More

Logica Security is a UK based cybersecurity consultancy specialising in regulated and high-risk industries. We support organisations across cyber security, operational resilience and supplier risk.

©  Logica Security Limited | Company Registration: 11806049. All rights reserved.