4 min read

A Guide To Data Processing Agreements

By Lucy Palmer on 04/04/22 12:27

A Data Processing Agreement is a legal agreement between a data processor and a data controller. It is used to regulate any personal data that is processed for business purposes. The document sets out what can be done with the data as well as the relationship between the processor and controller.

Most organisations in the world need to process personal data in some form and so it is important for everyone to understand the law. 

What Is The UK GDPR?

In the UK, the key legislation for data protection is the UK GDPR. This was adapted from the EU GDPR when Britain left the EU and sits alongside the 2018 Data Protection Act. 

The UK GDPR sets out the main principles and obligations when it comes to data processing. These include lawfulness, fairness and transparency. The regulation is then supplemented by the 2018 DPA which adds certain exemptions.

What Is The Difference Between a Data Processor and a Data Controller?

Data processing essentially involves working with personal data - whether collecting, translating, communicating or classifying it to produce meaningful information. This means that both data processors and controllers are subject to the UK’s Data Protection Act.

The data controller is the party who has collected the data. They must have explicit, continuous consent to store the data and hold responsibility for making sure it is processed lawfully. For example, if a company collects the email addresses of their customers, they must take measures to ensure this data is protected.

In contrast, the data processor is involved in handling the data. If a third party is hired to analyse the customer data that has been collected, they will be a data processor. The company who has collected the data must have a reason to grant the processor access - which should be outlined in the Data Processing Agreement.

This is only one example among many that a company might need a Data Processing Agreement. These include analysis, storage or marketing. Even if the list of email addresses is simply alphabetised, you will need a Data Processing Agreement?

What Does A Data Processing Agreement Need To Include?

A Data Processing Agreement needs to outline the nature of the processing. This should include the nature, duration and purpose of the way they will handle the data. They must also be explicit regarding the relationship between the processor and the controller. This includes highlighting the rights and obligations of the controller towards the data.

The agreement also needs to clarify the type and categories of the data. If it is considered to be special category data, the processor will have to follow different regulations. This type of data needs to be protected to a higher standard.

More generally, the agreement must include certain clauses to ensure it is lawful. The processor cannot act outside the explicit instruction of the controller (unless it is required by law). They must be open to all legal audits and inspections.

They must handle the data with an appropriate level of protection and compliance, in line with the UK GDPR. This involves supporting the controller in responding to requests from individuals as well as reporting personal data breaches. At the end of the contract, the data must be deleted or returned to the controller.

When it comes to using a sub-processor, there must be another written contract. This sub-processor must fulfil all the same expectations when it comes to the law.

How Can Convene Help With Your Data Processing Agreements?

The GDPR says that you are responsible for any data you collect. This means you should take reasonable measures to look after it. These measures can include security, in a traditional sense, and reasonable compliance.

The GDPR values good processes as much as it values perfect results. Make sure you’re doing everything you can to demonstrate compliance with the law.

Convene is an award-winning Board Portal which can help you ensure the integrity of any data you process. Our all-in-one meeting solution is fully GDPR-compliant and designed to the highest level of security.

We have a feature that will help you achieve every step of good governance:

  1. A Document Library with role-based access to ensure that your sensitive documents will only be seen by those you permit and other documents are available for all to see.
  2. A built-in audit trail so you can be sure you are compliant with any and all regulations.
  3. You can follow-along with the speaker during a meeting so you will literally always be on the same page during discussions.
  4. Integrated Video Conferencing so you can make the switch from remote to hybrid working seamlessly, whilst still viewing your Board Pack all on one screen.
  5. Surveys, with the option for anonymity, so you can be sure you are aware of your employees opinions.
  6. Our accessibility features, including text-to-voice, make us the leading accessible Board Portal.
  7. Not only do we help you save resources such as paper, and thus being better for the environment but we also save you money! The cost of paper adds up and our option for cloud-hosting also ensures that you can be at the forefront of energy savings.
  8. Our state-of-the-art security is CMMI-Level 5 accredited, which means we could work with NASA, so you can rest assured that your data is given the protection it deserves.


If you want to learn more about how Convene can support your organisation, check out our Customer Success Stories or book a free trial today!

Lucy Palmer

Written by Lucy Palmer

Subscribe to the Convene blog to get regular tips and updates on Governance and Digital Transformation!