Under current Data Protection legislation, if another organisation is processing personal data on your behalf, you must ensure this third party only processes the data in line with your instructions, which should be written into existing contracts.

You will also have a responsibility to only use third parties that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements and protects data subjects’ rights.

If your organisation has not appropriately assessed third party data processors and implemented appropriate contracts and due diligence, you may be liable should the third party have a data breach or process your personal data inappropriately.

Evolve North can work with your organisation to:

  • Identify your third-party data processors.
  • Provide advice and guidance on the most effective approach for ensuring appropriate due diligence of these third parties in relation to the IT Security and Data Protection practices.
  • Support your organisation by carrying out the necessary due diligence on any third parties to ensure they have appropriate data protection and IT Security practices in place.
  • Support a review of contracts with third parties to ensure appropriate clauses on handling your personal data is included within these and in line with GDPR requirements.

This can be a challenging area to implement, but based on extensive experience with other organisations, Evolve North can support you to get this right, and ensure ongoing compliance with data protection and security requirements.


Evolve North works across a wide range of differing industries throughout the UK and Europe in both public, private and voluntary sectors.