Data processing agreement solicitors

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

What is a data processing agreement?

In the majority of business relationships, personal data will flow from one party to another. Where a data processor carries out processing on behalf of a data controller, the data controller will not comply with the GDPR unless there is a written contract between the two parties setting out the terms, requirements and conditions on which the processing will take place. To give an example, when a company outsources payroll services, they will send personal data to that organisation. In order to be GDPR compliant, the company outsourcing the work must ensure that the organisation providing the services signs up to such an agreement. Data processing agreements between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities.

Why do I need a data processing agreement?

Article 28(3) of the GDPR specifically states that there must be a contract or other legal act in place between a data controller and a data processor. If there is no contract or other legal act in place, the data controller is in breach of the GDPR and may be open to potential enforcement action by supervisory authorities such as the ICO. Such enforcement actions include compliance orders and financial penalties. Financial penalties can reach up to EUR 20,000,000 or 4% of global turnover, whichever is higher.

As a data controller, a data processing agreement also protects you should your data processor break compliance, mishandle your data or fall victim to a data breach. Without such an agreement, responsibility and blame will fall on you for failing to do your due diligence and utilizing a third-party without adequate policies and procedures in place.

How do I create a data processing agreement?

Data processing agreements are just as important for small businesses as they are for large ones. Data processing agreements must also contain specific minimum terms. The agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects as well as the obligations and rights of both parties.

In addition, such agreements must contain specific terms or clauses regarding:

  • processing only on the data controller’s instructions
  • the duty of confidence;
  • appropriate security measures
  • using sub-processors
  • data subjects’ rights
  • assisting the controller
  • end of contract provisions; and
  • audits and inspections.

If the data processor uses another organisation i.e. a sub-processor to help it process personal data for the data controller, it must also have a written contract in place with that sub-processor.

Our data processing agreements solicitor Neil Williamson will help you draft your agreement or provide you advice.