- Third party compliance is a critical element for an organisation to be completely GDPR compliant
- Data Processing Addendums (DPA) is necessary to ensure compliance throughout the network.
- DPAs are meant to bring data transparency while clarifying liability limitations.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
As much as the GDPR is intent on creating data prioritization and privacy within an organization, it must not be forgotten that the regulation is also meant to apportion risk and responsibility to vendors, consultants, and other third parties with access to an organization’s network and data. While most organizations have been focused on their GDPR preparedness, they may have overlooked how a third party’s compliance may affect their program.
As data runs across networks, the GDPR’s standard is no longer confined to the data flowing across an organization’s campus and system, but the expectation is that to various partners and vendors as well.
Software-as-a-Service (SaaS) companies are exposed explicitly to the GDPR. The basis of the SaaS model as it pertains to data usage has long been to obtain consent (i.e., privacy policy acceptance). As many technology firms looked at data from a U.S. perspective of “personal information” as opposed to the more expansive GDPR definition of “personal data,” new policies and consent must be published to be GDPR compliant. To reduce the confusion of what data is used, Data Processing Addendums (DPA) should be entered into by customers to define consent and create clarity.
What is a DPA?
To ensure that personal data is not only defined but handled correctly by third parties, a Data Processing Addendum document is created that obliges and affirms that GDPR compliance is achieved throughout the network. It is designed to show consumers that data privacy is met by all who may have access to their information. A few assurances that the DPA lays out are:
- how the processing of personal data is being performed,
- personnel obligations (i.e., the duty of confidentiality),
- any use of sub-processors to do so (including but not limited to any data backup and disaster recovery services contracted by the data processor),
- interaction with the controller regarding compliance with its obligations, including personal data breach notification and management, and
- liability limitations. Auditing of such processing by the controller will likely be requested by the client-company acting as a controller to
The GDPR is not a business-to-business regulation but, under both the GDPR and prior EU laws, EU organization cannot send personal data to non-EU organizations unless the organizations enters into a DPA. DPA are essentially contract updates but they are important to create transparency in data and how it is being used to have shared liability for any use and processing of data.