What is a data processing agreement?
A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider). It regulates any personal data processing conducted for business purposes. A DPA may also be called a GDPR data processing agreement.
Data processing includes any operation in which data is collected, translated, communicated, and/or classified to produce meaningful information. Companies often hire third parties to process and analyze customers’ personal data, which usually necessitates a DPA.
For example, the New York Times (NYT) uses Google BigQuery to gather and analyze data about what articles people read, how long they stay on site, and how often they use the NYT app. This is meaningful information for making business decisions, and there is surely a DPA between NYT and Google that governs the use and management of that data.
Related: learn about the other fundamental business agreements
The Purpose of a DPA
A data processing agreement lays out technical requirements for the controller and processor to follow when processing data. This includes setting terms for how data is stored, protected, processed, accessed, and used. The agreement also defines what a processor can and cannot do with data.
The DPA is a key component of GDPR compliance.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a privacy and security law passed by the European Union (EU). Though created by the EU, the GDPR applies to any organization that targets or collects data about people in the EU.
The GDPR focuses mainly on personal data and data processing, subjects, controllers, and processors. It mandates signing a DPA with third-party data processors. If your organization uses data about EU residents, you must be GDPR compliant and use DPAs. Not to do so could result in incurring hefty fines and penalties.
When do I need a DPA?
Organizations leveraging data on EU residents need a GDPR data processing agreement any time they hire a third party to process that data. For companies which do not engage with EU user data, a DPA can still prove useful for outlining the terms of business with external data processors.
A data processing agreement defines clear roles and obligations for controllers and processors. It is a useful contract for any arrangement between two parties working with customer or user data.
Elements of a DPA
Generally speaking, a DPA should include the scope and purpose of data processing, what data will be processed, how it will be protected, and the controller-processor relationship.
GDPR data processing agreements must be particularly detailed. They should include:
- General information: This includes the activities involved in data processing, the ways personal data is used, the party responsible for ensuring data meets GDPR compliance, and the duration for which processing will occur. It also covers definitions of data subjects (customers or users), the types of data to be processed, how and where data is stored, and the terms of contract termination.
- Responsibilities of the controller: When it comes to GDPR compliance, establishing a lawful data process and observing data subjects’ rights falls to the controller. The controller is also responsible for issuing processing instructions and dictating how the processor handles data.
- Responsibilities of the processor: Under GDPR, processors have a long list of responsibilities. These include maintaining information security, cooperating with authorities in the event of an enquiry, reporting data breaches, providing opportunities for audits, record keeping, deletion or return of data at the end of the contract, and more.
- Technical and organizational requirements: How will data be encrypted, accessed, and tested? Can both parties ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services? GDPR demands that controllers and processors consider how state of the art technology, the costs of implementation, and variances in personal freedoms affect their ability to ensure ongoing data security.
If the processor plans to utilize sub-processors, a section outlining sub-contractual relationships is also necessary. The processor needs written consent from the controller to use sub-processors, which must ensure data protection and pass compliance verification regularly.
Signing a DPA as a customer (controller)
When an organization hires or partners with a third-party data processor, it will likely be asked to sign a DPA with that processor. This is completely normal and even required if the organization is working with the personal data of people living in the EU.
For example, a healthcare provider may decide to purchase cloud-based patient management software that stores information about people’s medical care. While the software may be an excellent upgrade from paper-based or spreadsheet systems, the software provider is a third party that will be collecting, storing, and communicating personal data about patients. This necessitates a data processing agreement.
When presented with a DPA, make sure it clearly outlines how data can be used by the processor. Look for the elements of a DPA listed above, and ensure that they are detailed enough so as not to leave room for interpretation.
In the case of a GDPR data processing agreement, remember that the controller can be held responsible for a data breach even if caused by a processor error. Make sure that the processor has the bandwidth necessary to ensure data protection and measures in place to respond quickly to any issues that arise.
Creating a DPA as a service provider (processor)
If you’re providing data processing, especially for customers working with data from users in the EU, you’ll want to be familiar with creating and managing DPAs.
A great place to start is by looking at the DPAs currently used by enterprise processors. For example, HubSpot’s DPA is easy to find and read. Data processing agreements are lengthy, however, and reading even a few to inform your own contract building can take a lot of time.
What’s more, some of your customers, or each of them, may need unique DPAs that meet their data usage needs. Managing these various DPAs can become a drain on your legal team’s productivity. Given how important it is to accurately manage contracts concerning consumer data, you’ll need an intelligent management system that prevents errors and lapses, but also empowers anyone who needs to create a contract.
When contract data is stored in separate systems that don’t communicate with one another, inefficiency takes over. Data processors need a solution that unifies isolated management processes, creates transparency, and automates contract management workflows.
The best solution is contract lifecycle management (CLM) software. Agile contract software offers an all-in-one solution with a single source of truth for all your contracts. It makes contract management transparent and maintains GDPR compliance automatically.
Next steps
Ready to take your DPAs and contract management to the next level? Sign up for a demo today and see what Ironclad’s contract lifecycle management can do for your business.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
- What is a data processing agreement?
- The Purpose of a DPA
- What is GDPR?
- When do I need a DPA?
- Elements of a DPA
- Signing a DPA as a customer (controller)
- Creating a DPA as a service provider (processor)
- Next steps
Want more content like this? Sign up for our monthly newsletter.