the GDPR Series (15): Data Processing Addendums [DPA’s]

Posted by

As much as the GDPR is intent on creating data prioritization and privacy within an organization, it must not be forgotten that the regulation is also meant to apportion risk and responsibility to vendors, consultants, and other third parties with access to an organization’s network and data. While most organizations have been focused on their GDPR preparedness, they may have overlooked how a third party’s compliance may affect their program.

As data runs across networks, the GDPR’s standard is no longer confined to the data flowing across an organization’s campus and system, but the expectation is that to various partners and vendors as well.

Software-as-a-Service (SaaS) companies are exposed explicitly to the GDPR. The basis of the SaaS model as it pertains to data usage has long been to obtain consent (i.e., privacy policy acceptance). As many technology firms looked at data from a U.S. perspective of “personal information” as opposed to the more expansive GDPR definition of “personal data,” new policies and consent must be published to be GDPR compliant. To reduce the confusion of what data is used, Data Processing Addendums (DPA) should be entered into by customers to define consent and create clarity.

What is a DPA?

To ensure that personal data is not only defined but handled correctly by third parties, a Data Processing Addendum document is created that obliges and affirms that GDPR compliance is achieved throughout the network. It is designed to show consumers that data privacy is met by all who may have access to their information. A few assurances that the DPA lays out are:

  • how the processing of personal data is being performed,
  • personnel obligations (i.e., the duty of confidentiality),
  • any use of sub-processors to do so (including but not limited to any data backup and disaster recovery services contracted by the data processor),
  • interaction with the controller regarding compliance with its obligations, including personal data breach notification and management, and
  • liability limitations. Auditing of such processing by the controller will likely be requested by the client-company acting as a controller to

The GDPR is not a business-to-business regulation but, under both the GDPR and prior EU laws, EU organization cannot send personal data to non-EU organizations unless the organizations enters into a DPA. DPA are essentially contract updates but they are important to create transparency in data and how it is being used to have shared liability for any use and processing of data.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s