What is a Data Processing Agreement (DPA) and Why is It Important?

Data is one of the most valuable assets people can possess. It is also highly sought after by various global companies, resulting in wide-scale data collection practices throughout the world. 

How does your personal data matter and why is it sought after by companies? There are various reasons for data collection - from helping companies understand a particular demographic for better marketing to sending targeted ads to people - data collection is a practice that generally aids companies in increasing their global revenue. 

In such circumstances, it is natural to advocate for one’s privacy and ethical data collection practices. To safeguard people’s personal data, nations and organizations across the world have implemented various regulations to uphold data integrity and prevent the loss of the trust of data subjects. 

A kind of agreement that is often followed is the data processing agreement (DPA); commonly referred to as the data protection agreement or a data processing agreement. A DPA is often a mandatory requirement for companies that collect or process the personal data of their users and customers - before handing it over to third parties. 

So, what is a DPA and what is its relevance today? This article will provide a comprehensive overview of a DPA and its many aspects - from its key components to the best practices one can implement to draft a strong DPA. 

What is a Data Processing Agreement (DPA)?

Let us begin from the basics, understanding what a DPA is. A data protection agreement is a legal contract signed between two parties - the company that collects its customers’ and users’ private data and a third-party organization that processes the collected data. 

Depending on the jurisdiction of the company, the terms and regulations for a DPA may differ. However, the primary aim of a DPA is to regulate the data that has been collected and shared between both parties - assuring users, consumers, and more generally data subjects that their data is safeguarded and will be processed under relevant laws. 

An important data protection regulation formulated by the EU (European Union) is the General Data Protection Regulation (GDPR) - which governs the ways companies can use, process, and store personal data. Another well-known law is the California Consumer Privacy Act (CCPA) - implemented to enhance the privacy rights and consumer protection of people living in the state of California. Similarly, many countries have different data protection laws - but a DPA is a common practice for many organizations globally. 

Other well-known global data protection regulations include:

• UK GDPR 
• VCPDA (Virginia Consumer Data Protection Act)
• CPA (Colorado Privacy Act) 
• CTDPA (Connecticut Data Privacy Act) 
• Brazil’s Lei Geral de Proteção de Dados
• UAE’s Protection of Personal Data Protection 
• Thailand’s Personal Data Protection Act 
• South Africa’s Protection of Personal Information Act 

Why Do Businesses Need a DPA?

As a business, what good would a DPA do for you? To ensure that you are accountable for implementing relevant steps and security measures throughout data collection and processing practices. 

For example, if you decide to hire a third-party organization (e.g. a cloud service-based organization) to outsource the data processing of your users’ data, you must sign a data processing agreement. The contract will solidify the agreement between both parties - ensuring that the third-party organization upholds the tenets of information security, prevents any data leakage or other security incidents, and complies with relevant data protection laws. 

It is a known fact that most businesses rely on third-party organizations for processing their data - this can be carried out in the form of analytics, marketing data, cloud storage, CRM, etc. Signing a data privacy agreement bolsters your chances of:

• Legal compliance, as most countries have some form of national or international laws around data protection. Signing a DPA ensures that you are legally complying with those laws and reduces the chances of paying penalties in cases such as a data breach. 
• Minimizing risks such as data breaches or unauthorized access to your data by another party. This is accomplished by clearly outlining the responsibilities, data processing procedures, and obligations of both parties.
• Protecting the privacy rights of your users and customers - which in turn increases their trust in your business. 

Key Components of a DPA

Having understood what is a DPA, let us delve into the key components comprising one. These components play an integral part in drafting a robust and detailed agreement between the involved parties. 

Scope and Purpose of Data Processing

A key element of a DPA is clearly defining the scope and purpose of the data processing. This section could involve information such as:

• The kind of data being processed
• The purpose of the data processing
• Are there different categories in the data subjects and if so, what are the categories 
• The legal basis for processing this set of data 
• The process of returning or deleting the data once it has been processed 
• The expected duration of utilizing and processing the data 

Obligations of the Data Processor and Controller

All involved parties can ensure compliance by clearly outlining their obligations and responsibilities - in this case, the onus falls on the data processor (the third-party organization) and the controller. 

This section will define the responsibilities of the data processors and how they will carry about the data processing - according to the instructions set by the controller. Any deviation from the implemented instructions has to be processed through a legal channel. 

This section must also clearly state that at the end of the processing, the controller will retain rights over the data and determine what to do with it. 

Security Measures

A data protection agreement is incomplete without an extensive draft of the security measures in place to ensure there is no breach. These measures could address subjects such as:

• Data encryption tools and methods 
• Protocols that maintain data confidentiality, security, and resilience across various systems. 
• In case of attacks or data breaches, any process that will aid in restoring access to all personal data 
• Programs designed to evaluate the effectiveness of the security measures that are supposed to protect the data

Many data processors often access formalized certifications or draw up a code of conduct that will attest to the implemented protocols. Both measures are popular options and are GDPR-compliant. 

Data Subject Rights

This component of a DPA outlines the responsibilities of the data processor to implement relevant technical and organizational measures to respond to any requests made by data subjects. 

This means that the processor must notify the controller if it receives a request from data subjects  for example accessing to their data. The processor must also state that it will not respond to such requests barring the documented instructions of the controller. 

Sub-processors

If both parties agree to utilize a sub-processor, there must be an addendum for that as well. A sub-processor is an organization that has been engaged by the primary data processor to handle personal data - on behalf of the controller. While hiring sub-processors is also a common practice, there has to be a strict set of regulations to ensure data compliance. 

This involves clauses and instructions pertaining to the kind of data the sub-processor can access, the duration of possessing the data, the procedures for data processing, which security measures will be implemented by the sub-processor, and more. 

Breach Notification and Reporting

A DPA must have clauses pertaining to the measures both parties can take in case of a data breach. As per the GDPR guidelines, the processor must notify the controller promptly in such circumstances, and provide sufficient information to the controller, which allows them to report this instance to the applicable Supervisory Authority as well as to  users, consumers, and more generally to any data subject when relevant. 

There are also clauses pertaining to how the processor can aid the controller in the investigation, mitigation, and remediation of the breach.  

Data Deletion and Retention Policies

A DPA must have clear guidelines on data deletion and retention policies. The GDPR states that the data processor must delete and procure the deletion of any and all copies of the controller’s company personal data according to the stipulated timeline in the agreement. 

How DPAs Ensure GDPR Compliance

After explaining what is a DPA and its key components, let us understand how a DPA facilitates GDPR compliance. There are several tenets of a data privacy agreement that do the job, including:

Legal Basis for Data Processing

The GDPR has a strict set of rules that govern the legal basis upon which a party can carry out data processing. Controllers and third-party organizations have a legal basis for data processing under at least one of the following situations:

• The data subject has consented to the processing of their data for one or more specific purposes. 
• Data processing is necessary for the performance of a contract to which a data subject is a party, or to take steps at the request of the data subject prior to entering into a contract. 
• Data processing is necessary for the controller’s legal compliance. 
• The processing of data could protect the vital interests of the data subject or another person. 
• Processing is necessary to perform a task carried out for the public interest, or in the exercise of an official authority vested in the controller. 
• Data processing is necessary for the legitimate interests of the controller or data processor - except where such interests are overridden by the fundamental rights, freedoms, and interests of the data subject. 

Data Transfer Safeguards

Both the controller and processor agree upon certain mechanisms for safeguarding the data transfer process. The GDPR lists a set of transfer tools that are considered to be “appropriate safeguards” for the transfer of personal data. The main kinds of tools - relevant to private companies are:

• Standard data protection clauses 
• Binding corporate rules 
• Codes of conduct 
• Certification mechanisms 
• Ad hoc contractual clauses 

Audits and Monitoring

Every data processing agreement will have a set of clauses pertaining to audits. In this section, there may be clauses pertaining to:

• The rights provided by the data processor and controller to a neutral third party for an audit. 
• Ease of accessing information by the auditor - which must be facilitated by both the processor and controller. 
• A detailed outline of the audit procedure. 
• Any costs pertaining to a data audit - which is generally borne by the data processor. 

Best Practices for Drafting a Strong DPA

A DPA can be a very complex document to navigate around. Understanding key practices utilized by many companies can aid you in drafting a solid DPA. 

Key Clauses to Include

Depending on your organization, the involved parties, and the scope of data processing activities, your DPA will consist of various clauses. However, ensure to include the following clauses while formulating your DPA:

• Definition of terms: All terms in your DPA must be clearly listed and defined so that in the future, there is no room for misinterpretation. 
• Data minimization: As the controller, outline the fact that you will only be collecting and processing a certain amount of data for highly specified purposes. Those purposes must be highlighted. 
• Access control: As the controller, your DPA must outline the relevant data access tools that will be used throughout the process - be it encryption, password protection, or firewalls. 
• Processing limits: Outline the data processing limits concerning your users, customers and other kinds of data subjects. If your users have consent preferences, ensure that those are outlined as well. 
• Data storage duration: A specified period allowing the third-party processor to store and process your data must be provided in your DPA. It must also outline the retention timeline. 
• Data subjects’ rights: Your DPA should outline the rights of data privacy and freedom of your subjects. This will include information such as their right to access, delete, or correct their data - along with the measures to be taken in case their data is lost or breached. 

Regular Reviews and Updates

While there are no specific guidelines from the GDPR about how often a DPA should be reviewed, many companies make it a practice to regularly review and update their DPAs. 

This is done most often by organizations that are handling highly sensitive personal data. Bear in mind that if there are any significant changes in the data processing activity, the DPA should either be updated or a new one should be drafted. 

Such changes may include:

• New services provided to the controller by the processor 
• The processor has been acquired by another company or changed their location 
• The controller provides the processor with new kinds of data to be processed. 

Ensuring Mutual Accountability

The essence of a DPA lies in mutual accountability between the involved parties. This can be achieved by outlining the responsibilities, obligations, liabilities, and indemnities of the data processor, the data controller, and any other party involved (e.g. sub-processor). 

Common Pitfalls to Avoid in DPAs

It is always recommended to know common mistakes people make while drafting a data privacy agreement in order to avoid repeating those mistakes. 

Not Including All the Mandatory Terms and Conditions 

The GDPR has highly specific terms that must be included in all DPAs - only including some of them will not be GDPR-compliant. Bear in mind that the more detailed your DPA is and the more research you do on the mandatory terms - the likelier you are to avoid any legal consequences. 

For example, many organizations include most of the mandatory terms in their DPA but may forget to or choose not to address clauses and provisions such as data sub-processing. In case of a data breach, there could be consequences for the processor and controller if this term is not present in the DPA.

Not Specifying the Kind of Personal Data Being Processed 

It is critical to specify the kind of data that will be processed in the contract between the data controller and the processor. 

A generic DPA that does not specify the kind of data to be processed will be considered GDPR-non-compliant - which may result in legal consequences and penalties for the guilty parties. 

Inadequate Security Measures

Maintaining data security and integrity is one of the most crucial parts of data processing - and a detailed security protocol must be drafted into the DPA by both parties. In the absence of clear protocols, there are higher chances of a data breach, which can leave your business in a very vulnerable position. 

Ambiguity 

This applies to every section, addendum, and clause within a DPA. Ambiguity in a DPA gives room for misinterpretation, misunderstandings, and in the case of a data breach, penalties. Do not take any section of your DPA lightly - ensure that each process, mechanism, and protocol is defined with utmost clarity to not only avoid legal trouble - but also facilitate a smooth process for the involved parties. 

The Role of Data Protection Officers (DPOs) in DPA Compliance

We know what a DPA is; let us now understand what a DPO (data protection officer) means. 

A DPO is responsible for overseeing the data processing procedure in their organization. They strive to ensure that the personal data of the staff, customers, and other involved individuals remains safe and all procedures comply with local or global data protection standards. 

1. Advisory Role

The DPO advises the organization on its data protection obligations, precisely the scope of the Data Processing Agreement. This includes:

• Ensuring the DPA aligns with legal requirements, such as GDPR Article 28.
• Ensuring the DPA consists of all necessary clauses, such as the purpose and scope of processing, data subject rights, security measures, etc.

2. Ensuring Compliance

The DPO ensures the organization's compliance with the DPA terms by:

• Verifying that data processors comply with the obligations outlined in the DPA.
• Overseeing the implementation of technical and organizational security measures.

3. Conducting Risk Assessments

The DPO assesses all risks related to data processing activities and ensures that the DPA includes provisions for risk mitigation, such as:

• Implementing safeguards for data breaches
• Addressing cross-border data transfer risks.

4. Facilitating Communication

The DPO is the medium of contact between the organization and its processors to:

• Clarify roles and responsibilities defined in the DPA.
• Address queries regarding data protection obligations.

5. Auditing and Monitoring

The DPO periodically audits data processors to ensure DPA compliance, which involves:

• Reviewing data processing logs and reports.
• Inspecting processors' security practices.

6. Incident Management

Even after all security protocols, a data security incident does occur; in such a scenario, the DPO ensures that the processor adheres to the DPA's breach notification terms and assists in the resolution process.

Conclusion

Navigating around the nuances of a DPA can be overwhelming for many organizations. Engaging the services of a DPO consultancy firm can not only alleviate your doubts but will also streamline your process and provide expert guidance to facilitate your data processing agreement. 

DPO Consulting has over eight years of consulting experience and has guided over 800 clients globally for personal data protection and GDPR compliance. Committed to helping businesses execute their GDPR compliance and implement fail-safe DPAs, DPO Consulting tailors solutions to ensure that your business avoids penalties and has a hassle-free data processing procedure with third-party organizations.

DPO Consulting: Your Partner in GDPR Compliance

Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise. 

External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.

Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training