We work in your timezone - UK / Europe / Canada / Gulf London Dublin Toronto Dubai
Home / Guides / UK GDPR & offshore development
UK data protection guide

UK GDPR & offshore development: DPAs, the IDTA and data transfer explained

If an external engineering team will touch your users' personal data, UK GDPR follows that data wherever it goes. This guide explains, in plain English, when a transfer becomes a restricted international transfer, what a DPA and the IDTA each do, and the safeguards to put in writing before anyone gets access.

In short

Under UK GDPR, you remain the data controller even when an external development team processes personal data on your behalf. You need an Article 28 DPA to govern that processing, and — if the team is in a country without UK adequacy status — an IDTA (or the UK Addendum to the EU SCCs) plus a transfer risk assessment to legalise the cross-border element. If the team only works on synthetic or anonymised data, there is no restricted transfer and no IDTA is required. This is a plain-English explainer, not legal advice.

The core question

When does an external team trigger a UK data transfer?

UK GDPR restricts sending personal data outside the UK to a country that the UK has not deemed to offer "adequate" protection. The phrase that matters is restricted transfer: it happens when a UK controller or processor makes personal data accessible to a receiver in a non-adequate country. Crucially, remote access counts — if an engineer abroad can read production records on your servers, that is a transfer even though no file is "sent" anywhere.

So the first thing to establish is not where the team sits, but what data they can actually see. Many builds never expose real personal data at all.

  • No personal data accessed — synthetic or anonymised datasets only: no restricted transfer, no IDTA
  • Personal data accessed in an adequate country — UK GDPR still applies, but no transfer mechanism needed
  • Personal data accessed in a non-adequate country — restricted transfer: IDTA + transfer risk assessment required
Does a transfer occur?
ScenarioRestricted transfer?Mechanism
Synthetic / anonymised data onlyNoNone
Pseudonymised, no re-ID accessUsually noDPA good practice
Real data, adequate countryNoDPA
Real data, non-adequate countryYesDPA + IDTA + TRA
Two documents, two jobs

DPA vs IDTA: what each one actually does

People use "DPA" and "IDTA" loosely, but they solve different problems and you usually need both. The DPA governs how personal data is processed; the IDTA legalises moving it across the UK border to a non-adequate country.

The DPA (Article 28)

The contract between you (controller) and the development team (processor). It binds the team to process data only on your documented instructions, keep it confidential and secure, and return or delete it at the end.

The IDTA

The UK's standard transfer agreement, published by the ICO. It is the cross-border safeguard you put in place when data goes to a country without UK adequacy. Alternatively, the UK Addendum bolts onto the EU SCCs.

The TRA

The Transfer Risk Assessment. Before relying on an IDTA you document whether the destination's laws and practices could undermine the protection the IDTA promises — and what extra measures close any gap.

The ICO publishes the IDTA, the Addendum and a TRA tool free of charge at ico.org.uk.

The checklist

What a UK-GDPR-compliant DPA must contain

Article 28 sets out the minimum a DPA must include. If a development team offers you a contract, this is the list to check it against. Anything missing is a gap you will own as the controller.

  • Subject matter, duration, nature and purpose of the processing
  • Categories of personal data and of data subjects
  • Processing only on your documented instructions
  • Confidentiality commitments from everyone with access
  • Appropriate technical and organisational security measures
  • Rules on engaging sub-processors (your prior authorisation)
  • Help with data-subject rights requests and DPIAs
  • Breach notification without undue delay
  • Deletion or return of all data at the end of the engagement

Beyond the legal minimum, the practical safeguards below are what keep an engagement clean in day-to-day work. Demand them in writing — a serious team will already operate this way.

  • Data minimisation by design — synthetic or masked data in dev and test
  • Least-privilege access — only senior engineers, only what they need
  • Client-controlled repositories and cloud accounts from day one
  • Audit logging of who accessed what, and when
  • SSO, MFA and encryption in transit and at rest
  • Offboarding that revokes access the day someone rolls off
In practice

A practical sequence before anyone gets access

1. Map the data

List what personal data the build genuinely needs and at what stage. Most development never needs real production records — decide what can be synthetic or masked.

2. Confirm the roles

You are the controller; the team is the processor. Record that in an Article 28 DPA covering the points in the checklist above.

3. Check adequacy

Establish where data will be accessible from. If that includes a non-adequate country, a restricted transfer occurs and you move to the IDTA.

4. Put the IDTA in place

Use the ICO's IDTA (or the Addendum to the EU SCCs) for the cross-border element, signed before any access is granted.

5. Do the TRA

Document the transfer risk assessment and any extra technical measures — encryption, pseudonymisation, access controls — that protect the data in practice.

6. Lock down access

Grant least-privilege, named access with MFA and audit logging. Keep production data out of reach unless it is genuinely required.

See how we structure UK engagements →

How Meridianstacks handles it

Built so the transfer question is small — or absent

We are a globally distributed team of senior, fluent-English engineers working UK hours, and we design engagements to keep personal data exposure to a minimum. In most projects our engineers build and test against synthetic or anonymised data, with production access restricted to a small, named, audited group only when there is a real need.

Where a restricted transfer is unavoidable, we sign a UK-GDPR-compliant DPA and put an IDTA in place, supported by a transfer risk assessment and the technical measures above. Repositories and cloud accounts are client-controlled from day one, and you own all code and IP under UK law. The result is a build that is straightforward to defend to your DPO or the ICO. For a fuller picture, see our UK offshore software development page and the UK market hub.

Our default posture
  • Synthetic / anonymised data in development and test
  • Senior engineers, least-privilege production access
  • UK-GDPR DPA + IDTA where a transfer applies
  • Transfer risk assessment on file
  • Client-controlled repos, IP and accounts
  • UK-hours collaboration — questions answered same day
Questions & answers

UK GDPR & offshore development — FAQ

Do I need an IDTA if my development team is outside the UK?
You need an IDTA (or the UK Addendum to the EU SCCs) whenever personal data restricted by UK GDPR is transferred to a country without UK "adequacy" status. If your external team only ever works on synthetic, anonymised or fully pseudonymised data, no restricted transfer occurs and no IDTA is required. If they can access real personal data on your systems, plan for an IDTA plus a transfer risk assessment.
What is the difference between a DPA and an IDTA?
A Data Processing Agreement (DPA) is the Article 28 contract between you (controller) and your processor that sets out how personal data is handled. The IDTA — the International Data Transfer Agreement — is the separate transfer mechanism that legalises sending that data outside the UK to a non-adequate country. You typically need both: the DPA governs the processing, the IDTA legalises the cross-border element.
Who is the controller and who is the processor?
In a typical build, your company is the controller — you decide why and how personal data is used. The development team is the processor, acting only on your documented instructions. That relationship is what an Article 28 DPA must record. Getting these roles right determines who carries which obligations under UK GDPR.
Can offshore developers work without ever touching real personal data?
Often, yes — and it is the cleanest approach. Many builds proceed entirely on synthetic or anonymised datasets, with production access restricted to a small, named, audited group. Designing for data minimisation from day one can remove the international transfer question altogether, or shrink it to a tightly controlled exception.
What should a UK-GDPR-compliant DPA actually contain?
An Article 28 DPA should cover the subject matter and duration, the nature and purpose of processing, the categories of data and data subjects, processing only on documented instructions, confidentiality, security measures, sub-processor rules, assistance with data-subject rights, breach notification, and deletion or return of data at the end. For non-adequate transfers it should reference the IDTA and the transfer risk assessment.
Is this article legal advice?
No. This is a plain-English explainer to help UK companies understand the moving parts of UK GDPR offshore data transfer so they can ask the right questions. For your specific situation, confirm the position with a qualified data-protection adviser or the ICO before signing contracts or transferring data.

Want a build that is easy to defend to your DPO?

Book a free 30-minute scoping call in UK hours. We will walk through how your data would be handled, what a DPA and IDTA would cover, and how to keep personal data exposure to a minimum.

Book a free scoping call →