As much as the GDPR is intent on creating data prioritization and privacy within an organization, it must not be forgotten that the regulation is also meant to apportion risk and responsibility to vendors, consultants, and other third parties with access to an organization’s network and data. While most organizations have been focused on their GDPR preparedness, they may have overlooked how a third party’s compliance may affect their program.
As data runs across networks, the GDPR’s standard is no longer confined to the data flowing across an organization’s campus and system, but the expectation is that to various partners and vendors as well.
What is a DPA?
To ensure that personal data is not only defined but handled correctly by third parties, a Data Processing Addendum document is created that obliges and affirms that GDPR compliance is achieved throughout the network. It is designed to show consumers that data privacy is met by all who may have access to their information. A few assurances that the DPA lays out are:
- how the processing of personal data is being performed,
- personnel obligations (i.e., the duty of confidentiality),
- any use of sub-processors to do so (including but not limited to any data backup and disaster recovery services contracted by the data processor),
- interaction with the controller regarding compliance with its obligations, including personal data breach notification and management, and
- liability limitations. Auditing of such processing by the controller will likely be requested by the client-company acting as a controller to
The GDPR is not a business-to-business regulation but, under both the GDPR and prior EU laws, EU organization cannot send personal data to non-EU organizations unless the organizations enters into a DPA. DPA are essentially contract updates but they are important to create transparency in data and how it is being used to have shared liability for any use and processing of data.