By Matt Riley, Quality and Compliance Director at Complete I.T., Data Protection Lead at Sharp
In 2015, a Justice at the Supreme Court mutters those famous words ‘Contract is King’ and reviewing contracts is an essential part of my role to identify that the current policies are in place to keep data safe.
A ‘Data Processing Agreement’ (DPA) is the legal name for when businesses outline their expectations and obligations when sharing data with each other. As a Quality and Compliance Director, I receive questions around this topic from both team members and clients alike on a regular basis.
Data Processing Agreements are not simple tick boxing exercises and can in fact tell you a lot about the company you are about to work with. For example, if they were to have reservations or decline signing a DPA then you’d probably want to consider partnering with someone else, as they clearly don’t take their data protection as seriously as you do.
Article 28 of the UK GDPR details what should be included in a DPA and there are two sets of requirements:
Details of what is being shared/processed by the third party
A set of terms and conditions which include a set number of items
There are four details which must be included detailing what is being shared and how it is to be used:
What is being shared and how long that third party can process it for
Nature and purpose – what is the shared data being used for?
A list of what personal data is being shared (names, addresses etc.) and whose data is being shared (such as employees, clients etc.)
A description detailing what the controller’s rights are to this data
The company who is sharing the data should be the ones dictating the terms to the third party they are sharing this information with and not the other way around. If you are asked to complete this for a third party, it demonstrates that they really don’t have a good understanding around data protection so that raises the question – should you be working with them?
The other part to a DPA are the terms and conditions. Again, there are a standard set of clauses that should be included, and these are:
- Processing only on the documented instructions of the controller – This ensures that the processor (the third party) should only act under the instructions of the business sharing the data.
- Duty of confidence – Safeguards that the receiving party will keep data confidential.
- Appropriate security measures – This ensures that the receiving party will employ the necessary security measures to protect the data.
- Using sub-processors – So that should the receiving party need to share the data further (e.g. storing in Microsoft 365), this is fully documented.
- Data subjects’ rights – This Ensures the receiving party will help with dealing with any requests made under their individual rights.
- Assisting the controller – Set expectations about how or when the receiving party will help the controller.
- End-of-contract provisions – This is to certify that the third party know what to do with the shared data at the end of the contract.
- Audits & Inspections – Gives the right to the sharing party to audit/inspect the receiving party in relation to all of the above.
Having a DPA in place prior to engaging with a new third party or supplier can prevent a potential breach of GDPR which could cause an even bigger problem for your organisation!
Get in touch to discuss any queries you have about data breaches or if you need help securing your organisation’s data.