top of page
  • Helen Taylor


Data Protection

Despite the ongoing notoriety of the legal requirements under the data protection legislation particularly when there is a data breach affecting the general public, data protection is still often overlooked when it comes to commercial agreements, even if the provision of services may involve the processing of personal data. This is likely because the main consideration is usually about service delivery and price.

Despite data protection not being a key priority in the commercial transaction, it is however important that if personal data is to be processed, the agreement makes provision for the rights and responsibilities of the parties under the Data Protection Act 2018 and the UK General Data Protection Regulation. This is key to managing any legal and financial risk and being able to demonstrate legal compliance to the Information Commissioner’s Office (“ICO”). The need to address data protection must be viewed in the context that the ICO can issue monetary penalties that may run into the millions (up to £17.5 million) or as much as 4% of the total worldwide turnover, if higher.

If your business is going to be processing personal data and there is a commercial agreement in the background, here are some key questions that you need to be asking:

  • Does the agreement provide for data protection? If not, the agreement will need to be amended or a separate data processing agreement introduced.

  • Have the data controller and data processor been correctly identified? Getting the categorisation right determines the respective rights and obligations of the parties. Often parties get it wrong.

  • If there are terms regarding data protection, are they fit for purpose? UK organisations are required to demonstrate compliance; an agreement that does not contain some core terms addressing as a minimum the following will fall short of this legal requirement:

  • The rights and obligations of the data controller and data processor.

  • Record management.

  • Data security.

  • Breaches and claims.

  • Sub-processing.

  • Handling data subject requests.

  • Data transfer outside of the UK and disclosures.

Many agreements continue to reflect the fact the UK is still in the EU!

  • Has liability for any data breach been addressed? It is important that your business understands the extent of its liability in the event of a breach and ensures where appropriate that liability is capped. Cyber insurance may need to be considered here.

Apart from getting the deal done, there is clearly a lot to think about in relation to ensuring your business is legally compliant when it comes to data protection.


Whether it is a contract audit you need for peace of mind or you want a new legally compliant agreement, FG Solicitors’ Data Protection Management Package can provide you with the right solution.

To find out more about how we can assist your business in developing its commercial contracts, contact FG Solicitors today on 0808 172 93 22 or complete our quick contact form for a no obligation discussion!

Don’t miss our latest updates! Follow us on LinkedIn.

This update is for general guidance only and advice should be taken in relation to a particular set of circumstances.

Related Posts

See All


bottom of page