_edited.png){kind=logo}
Pilots Need Paperwork Too
- Kafico Ltd
- Sep 19
- 3 min read
Updated: Sep 21
When a supplier offers a free pilot or short-term trial, it can feel easier to skip the paperwork. The team wants to test quickly, the supplier reassures you that it’s just a trial, and contracts get left for later.
But it's important to remember that, if personal data is involved, or if their system connects to yours, the legal and security obligations apply from day one - even without a commercial contract yet.
1. Personal data doesn’t know it’s a trial
Under UK GDPR, there is no exemption for pilots. As soon as a supplier processes personal data on your behalf, they are a data processor. That means a data processing contract is legally required, whether the arrangement is temporary or permanent.
2. System connections bring extra risk
Trials often involve connecting external systems to your systems or accessing external systems. Even for a short pilot, this creates technical risks such as security vulnerabilities or unauthorised access, as well as legal risks over where data flows and who can see it. A processing contract sets clear boundaries, confirms security measures, and ensures you can get assurance if needed. Without it, you could be exposing your live environment to an unknown.
3. Clear roles and responsibilities
If something goes wrong, such as a data breach or misuse of information, who takes responsibility? A processing contract sets out what the supplier can and cannot do, how incidents are reported, and who responds to data subject rights requests. Without this, you carry all the liability.
4. Preventing scope creep
Suppliers often treat pilots as a chance to collect more data or test new features. If there is no contract in place, nothing stops them from reusing your data outside of the purpose you agreed. A processing contract prevents this.
5. Data at the end of the trial
At the end of the pilot, what happens to the data? A contract forces the supplier to return or securely delete it. Without that agreement, you could lose control of it altogether.
6. Contracts can be short and simple
A processing contract does not have to be lengthy or complicated. A short, tailored document can cover all the essentials such as security, confidentiality, deletion and liability, while still allowing the pilot to move forward quickly.
7. The clauses that matter
Article 28 of UK GDPR sets out the minimum content of a data processing contract.
These headline clauses are the ones that really matter when it comes to trials or pilots.
Only act on written instructions: The processor can only use the data in the way you have agreed. This prevents “scope creep” or experimental use of patient data outside the pilot.
Confidentiality obligations: The processor must ensure staff handling your data are under a duty of confidentiality. This stops trial data being casually shared or misused.
Appropriate security: The processor has to implement suitable technical and organisational measures. Even in a short pilot, this ensures basic cyber hygiene when their system connects to yours.
Sub-processors only with consentThey cannot pass your data to other providers without your authorisation. This blocks hidden chains of subcontractors during a trial.
Assistance with rights and breaches: The processor must help you respond to data subject rights and to breaches. That matters if something goes wrong mid-trial and patients want answers.
Deletion or return at the end: When the pilot finishes, the processor must either return the data to you or delete it securely. That prevents indefinite retention after the trial ends.
Audit and assurance: You have the right to check or be assured that these obligations are being met. This gives you leverage even if the trial is “free.”
In Summary
Just because you have not committed to a commercial contract yet (or perhaps ESPECIALLY since you have not), processing contracts are required and they protect everyone involved. Speak to your DPO about getting one drafted!
Comments