Outsourcing and data protection

Copyright © 2025 LexisNexis
Produced in partnership with Marina Paul
Practice notes

Outsourcing and data protection

Copyright © 2025 LexisNexis

Produced in partnership with Marina Paul

Practice notes
imgtext

In brief

Data protection laws in the UK seek to ensure information about living individuals (within the definition of ‘Personal data’) is used fairly and responsibly. To help ensure that, UK data protection law imposes a large number of obligations on those ‘processing’ personal data (and on controllers of such processing). ‘Processing’ is broadly defined to include doing most things with data, including storing, deleting, collecting, disclosing or using it.

One of the key protections under UK data protection law is the set of obligations placed on ‘controllers’ (usually meaning those that decide the purposes and means of processing) and ‘processors’ (those that process personal data on behalf of a controller further to the controller’s instructions). Among other things, UK data protection law usually requires controllers and processors to put in place contracts containing certain minimum provisions and ensure any processor(s) they engage are suitable. In an Outsourcing arrangement, the customer will often act as controller and the supplier as its processor.

This Practice Note introduces the Requirements under UK data protection law in the context of an outsourcing

Marina Paul
Marina Paul

Marina is highly experienced dual qualified practising solicitor in the fields of data privacy, cyber security and regulatory programmes and provides consultancy services in these fields. She has a strong background in the financial services arena having previously worked in-house for a major banking group for over 20 years.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Related legal acts:
Key definition:
Outsourcing definition
What does Outsourcing mean?

Using a third party to undertake work that a law firm or in-house team would normally do for themselves and for which the firm or in-house team remain responsible.

Read more readmore

Popular documents

The UK General Data Protection Regulation (UK GDPR)—Navigator

The UK General Data Protection Regulation (UK GDPR)—Navigator [Archived]ARCHIVED: This Practice Note is not maintained and is for background information only. This archived Practice Note i) provides navigational information on the UK GDPR and accompanying Data Protection Act 2018 and ii) briefly

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Glossary—Latin legal terms

Glossary—Latin legal termsDespite attempts in recent years to simplify the language used in legal cases, there are still a number of Latin phrases commonly used in personal injury claims. The following Latin phrases are listed in alphabetical order:Latin