Data protection outsourcing questions are usually the first ones a practice manager raises, and they should be, given what is at stake. Client and matter data is the most sensitive thing a law firm holds, and handing any part of the workflow to an outside provider means putting real thought into how that data is protected, not just trusting that it will be. This is what an actual Data Processing Agreement needs to cover, and why a general confidentiality clause is not enough.
Why a confidentiality clause alone is not sufficient
Under Article 28 of the UK GDPR, any time a controller (the firm) uses a processor (an outsourced provider) to handle personal data on its behalf, a specific written contract is legally required, not just good practice. The ICO’s own guidance sets out exactly what this contract must contain, and it goes well beyond a promise to keep things confidential.
What an Article 28 Data Processing Agreement actually has to cover
- Subject matter and duration. What data is being processed, and for how long.
- Nature and purpose. Why the data is processed and what is actually being done with it.
- Types of personal data and categories of data subjects. This should be specific, not a vague catch-all.
- The controller’s rights. Including the right to issue instructions, audit, and terminate.
- Confidentiality. Every person with access must be bound by a confidentiality obligation.
- Security measures. Appropriate technical and organisational measures under Article 32.
- Sub-processor rules. A processor cannot bring in another processor without the controller’s written authorisation, and any sub-processor must be bound by equivalent terms.
- Assistance with data subject rights. The processor must help the controller respond to subject access requests and similar.
- Breach notification and deletion. Clear timelines for reporting a breach, and a defined process for deleting or returning data at the end of the engagement.
This list comes directly from the ICO’s guidance on what the contract must include. If a provider’s paperwork does not cover most of this by name, it is worth asking why before agreeing to anything.
The question everyone eventually asks: where is the data actually processed?
If a provider’s staff are based outside the UK, this is not a reason to avoid outsourcing outright, but it does mean the international transfer needs a proper legal mechanism, not silence. The standard route is the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, backed by a documented Transfer Risk Assessment. This should sit inside the same contract as the Article 28 terms, not as a separate afterthought.
Data protection outsourcing: what good practice looks like day to day
Beyond the contract itself, the practical controls matter just as much: matter-limited access so a paralegal only sees the files relevant to their current work, individual (never shared) login credentials, no storage of client data on personal devices or personal cloud accounts, and a defined breach-reporting window measured in hours, not days. Our How It Works page sets out how this is structured in practice, and it is worth asking any provider you are considering to walk you through their equivalent.
Want to see the actual DPA?
We can send over our Article 28 terms and transfer risk assessment before you commit to anything, so your own review has something real to check.
Request the DPARecent updates worth knowing about
The Data (Use and Access) Act 2025 made some adjustments to the UK’s data protection framework, though the core Article 28 processor obligations remain the foundation of any outsourcing arrangement. If a provider’s contract has not been reviewed since before 2025, that is a reasonable question to raise directly.
If you are scoping outsourced paralegal support and want to see what a proper DPA looks like before committing to anything, our Contact page is the fastest way to get the actual paperwork in front of you.
