Introduction
Chances are that you're probably reading this as you're exploring what it takes to make your B2B SaaS company compliant with GDPR. You might have had a prospect or customer ask you for a copy of your DPA. Or perhaps you came across a GDPR checklist that mentioned the word "DPA," and upon Googling "What is a DPA?", found this article.
The GDPR has highly affected how organizations operating within the European Union handle, process, and manage personal data. It is an overarching regulation on privacy and hence places a great deal of responsibility on any organization entrusted with EU citizens' personal information. One of the major requirements of GDPR is to have a Data Processing Agreement between the controller and the processor of personal data. What does this DPA involve, and why is it such a major key to GDPR compliance?
A Data Processing Agreement is a legally binding contract that describes the data protection responsibilities and liabilities between a data controller and a data processor. The data controller determines for what and how personal information needs to be processed, while the data processor is a third party that carries out data processing services on behalf of the controller. The GDPR does impose direct legal obligations on both controllers and processors to handle and secure personal data properly. A DPA would formally define the obligations between those two parties.
In case you are planning to get or use a DPA for your own startup, here's a sample DPA recommended, provided by GDPR.eu here.
This post reviews some of the key elements of the GDPR Data Processing Agreement and why a sound DPA is paramount to an organization that is processing data of EU citizens.
Key Elements of a GDPR Data Processing Agreement
While contents may vary, generally speaking, GDPR DPAs will contain information on the following:
The nature and purpose of the data processing: This outlines the details of what data shall be collected, from whom, and for what purposes.
Personal Data Type: Information on the different types of personal data, such as first name and surname, residence address, contact details, financial information, IP address, location details, identifier online, etc.
Data subject categories: Data of what type of subjects, including customers, subscribers of newsletters, website visitors, event participants, etc.
Processor Security Responsibilities: Technical and organizational measures to be taken by the processor in processing the data including encryption, access controls, testing, audits, etc.
Sub-processing rules: Under which conditions is the processor allowed to subcontract sub-processors or subcontractors. Sub-processors would also be bound to the DPA.
Data transfer policies: Controls over the export of data from the EU, for instance, by requiring Privacy Shield certification or Model Contract Clauses.
Audit rights: Allowing the controller to audit the processor's data security measures and GDPR compliance.
Obligations after contract termination: Such as deleting or returning all personal data after the contract ends.
The DPA provides legally binding directions on the basis on which the processor may process the controller's data. Compliance with the DPA minimizes compliance risks.
Importance of Having a Data Processing Agreement
Although DPAs may seem to be cumbersome to draft, they are essentially required on numerous bases:
Helps ensure GDPR compliance: The DPA formally defines data protection responsibilities between controllers and processors. This helps close potential compliance gaps.
Reduces liability risk: A sound DPA sends a positive signal to regulators and data subjects that the parties take seriously their obligations to process personal data correctly under the GDPR, reducing risks of fines, lawsuits, and other enforcement actions.
It provides transparency to data subjects: European citizens have the right to know how their personal information is processed, where the DPA offers visibility into data handling practices.
DPA builds trust: A well-drafted DPA regulates the expectations and responsibilities of both controllers and processors, making business dealings much more harmonious.
Standardizes data protection: Writing requirements about things like security controls and audits provides standardized rules for data handling by a processor across clients.
Without a DPA, controllers would remain in a position of liability in case of any misuse of data by the processor. The agreement gives a degree of legal commitment on the part of the processor and a means to hold them liable. Eventually, having an extensive DPA minimizes compliance blind spots and proves diligence to regulators and data subjects.
Consequences of Not Having a Data Processing Agreement
Unfortunately, most organizations underestimate the importance of DPAs in their GDPR compliance programs. The failure to have a tight DPA is laden with serious consequences, including:
Regulatory investigations and fines: The ICO can audit any business concerning proper contracts with processors. Without a DPA, there would be a violation of GDPR Article 28, thus attracting fines of up to 20 million EUR or 4% of global revenue.
Civil litigation by data subjects: Any person whose damage has occurred due to some non-complaint processing can sue the controller and processor for compensation. Poorly defined responsibilities within the DPA make the winning of such lawsuits more difficult.
Reputational damage: Data breaches or compliance violations usually receive a lot of press coverage. Companies without processor contracts may suffer public criticism and lose consumer confidence.
Termination of services: Processors dealing in sensitive data may refuse service to controllers refusing to sign a DPA because of their own liability under the GDPR. This disrupts business operations.
Weaker security posture: Without a DPA, processors will have less of an incentive to implement strong data security. This, in turn, will expose controllers indirectly to greater cyber risks. An advanced Data Processing Agreement clearly outlines the responsibilities of controllers and processors alike. Yes, it is a demanding task to work through; however, the resulting benefit is worth it in navigating the GDPR obligations with ease and assuring data protection. It is an ongoing process and not a checkbox activity to keep your organization compliant with GDPR. Investment in a robust DPA is a key step toward operationalizing data protection and least compliance risks.
Conclusion
Data Processing Agreements are important in providing a formal, legally binding agreement between controllers and processors of personal information under the GDPR regime. A well-drafted DPA lays down legally binding data handling instructions and security expectations on behalf of the processor. Having a DPA helps data subjects see things through, helps mitigate liability risks for both parties involved, and ultimately supports long-term GDPR compliance. It is highly desirable that organizations coming within the purview of GDPR should take the pain of putting together a proper data processing agreement with every third-party processor they are engaging.
While this would be an investment in terms of effort in crafting a good DPA, it pays long-term dividends by upholding data security and privacy protections. On the sound bed of DPA, an organization can grant more secure and responsible processing of personal data in coherence with the goals of GDPR. Having a DPA for your organization, your prospects and customers may request from you a signed copy of your DPA.
That's where ComplyDog comes into play: our software for maintaining GDPR compliance boasts numerous integrations, such as DocuSign and Dropbox Sign, that handle this process automatically so that you never have to handle requests for DPA signatures on your own. ComplyDog offers a free trial -- sign up here.
