The Data (Use and Access) Act came into law on 19 June 2025, so the Information Commissioner's Office (ICO) guidance is under review and may be subject to change. Their Plans for new and updated guidance page will tell you which guidance will be updated and when this will happen. Please bear this in mind when reading information in this section.

Introduction

The UK General Data Protection Regulation (UK GDPR) is the UK's version of data protection law, which took effect on January 1 2021, following Brexit. It outlines the rules for handling personal data, including key principles, rights for individuals, and obligations for businesses and organizations. Derived from the EU's GDPR, the UK GDPR sits alongside the Data Protection Act 2018 and ensures that personal information in the UK is used fairly, lawfully, and securely.

To comply with UK GDPR when outsourcing overseas, these are the biggest areas requiring action:

Assess and record your data processing

Identify what personal data will be accessed by the outsourcing company and identify roles. Your practice will usually be the data controller, and the overseas outsourcing provider will typically be a data processor. Record this in your Records of Processing Activities (RoPA) – a mandatory document under UK GDPR that details an organisations' handling of personal data - under Article 30. Read more on the ICO website.

Confirm lawful basis for processing

UK GDPR Article 6 requires every processing activity to have a lawful basis. When you are preparing accounts, payroll or tax returns then you're processing personal data. When you outsource such work overseas, you're not creating a new purpose but you are extending the process to a third party, so check that your existing lawful basis still holds and that your clients are properly informed. The most common lawful bases are legal obligation (eg. complying with HMRC requirements) or contract (processing data to deliver services under an engagement letter with your client). Read more on the ICO website. 

Informing clients

Even if your lawful basis is sound, UK GDPR also requires transparency so in your privacy notice, you must clearly tell clients:

• What data you collect and why.
• That you may use overseas service providers (naming the countries if possible).
• The lawful basis for the processing (contract/legal obligation).
• What safeguards are in place for international transfers (e.g. IDTA, adequacy).
• Their rights (e.g. access, rectification, objection).

Read more on the ICO website.

Due diligence on the overseas outsourcing provider

Document your due diligence on the overseas outsourcing provider (including security measures, policies and compliance with data protection standards).

Put a Data Processing Agreement (DPA) in place

A written DPA with the outsourcing provider is mandatory under UK GDPR Article 28. Ensure it includes Article 28 UK GDPR clauses of which the minimum required are:

• Processing only on the documented instructions of the controller.
• Duty of confidence.
• Appropriate security measures for data protection.
• Using sub-processors.
• Data subjects’ rights.
• Assisting the controller.
• End-of-contract provisions.
• Audits and inspections.

Consider confidentiality agreements directly with outsourced staff in addition to the contract you have with the provider. Read more on the ICO website. 

Technical and Organisational Measures (TOMs)

Article 32 of the UK GDPR requires controllers and processors to implement appropriate TOMs. What is appropriate for your practice will depend on your circumstances. 

Assess your own TOMs and check that the outsourcing provider has robust TOMs in place such as encryption in transit and at rest, access controls (role-based, MFA), logging and monitoring, regular penetration testing and vulnerability plans, an incident response plan, etc. Include the TOMs in the Data Processing Agreement.

ISO 27001 certification is a strong indicator that TOMs are in place – if the outsourcing provider says it has such certification, then request evidence. 

Read more on the ICO website. 

Ensure lawful international transfers

If the outsourcing provider is outside the UK in a country that has no adequacy decision for data protection then have a proper international data transfer mechanism in place (examples of article 46 transfer mechanisms - IDTA or UK Addendum to SCCs). If you are relying on an Article 46 transfer mechanism you must carry out a Transfer Risk Assessment to check whether laws or practices in that country might undermine the protections in the contract. Find out more about adequacy regulations, Article 46 transfer mechanisms and Transfer Risk Assessments.

You will need to do your due diligence on your outsourcing provider to ensure that they have any required safeguards.