A data processing agreement (or data processing addendum) is a legally binding document that describes an arrangement between two organisations where one instructs the other to perform information operations on their behalf, for example where a controller instructs a processor.
Just to name a few more commonplace examples:
- payroll — an employer instructing a human resources to pay their employees on their behalf each month;
- telecoms — an organisation instructing a telecommunications service provider to route calls, messages or data traffic through their network; or
- pension funds — a pension fund instructing an administration company to administer member payments and beneficiary payouts on their behalf;
This almost always entails a third party processing people’s personal data. For this reason data protection laws generally have strict rules governing data processing agreements.
These agreements are either between:
- a controller and a processor — the most common form; or
- a processor and a sub-processor — a less common form sometimes referred to as a sub-processing agreement.
If you are unsure whether you need a data processing agreement or not, read on — because you probably do and there could be dire consequences for not having one.
Why is a data processing agreement important?
They are important because data protection laws generally require an agreement whenever:
- a controller instructs a processor; or
- a processor instructs a sub-processor;
to carry out a task involving personal data on their behalf. There are severe consequences for the instructing controller or processor if they fail to have one in place. We’ve written all about how data processing agreements are required by law here.
It is also important for your organisation to understand data processing agreements (DPA’s) whether you are the controller, processor or sub-processor regardless of whether your organisation is the instructing organisation or not. DPA’s affect your organisation no matter where it is in the data processing chain.
It just makes sense to have some paperwork in place to make sure that everyone is doing things properly. Especially where you’re sharing personal data that your data subjects have entrusted you with, with another party.
How do you benefit from a data processing agreement?
You benefit because:
- legal requirement — data protection law generally requires a controller to have a DPA in place whenever they use a processor (and the same of a processor whenever they use a sub-processor);
- regulatory fines — you could recevie fines from regulatory authorities if you don’t have one where you should;
- protects all parties — it makes sure that each organisation in the processing chain operates in compliance with relevant data protection laws and holds up their end of the bargain to protect the interests of all parties;
- minimal requirements — data protection laws generally prescribe minimal requirements for inclusion in DPA’s which protect data subjects through a system of checks and balances between the controller and the processor (or processor and sub-processor);
- other people’s data processing agreements — others may present you with DPA’s that could be adequate, but you should make sure that they protect your organisation and are not simply for their benefit;
- information security — you may not be doing enough to secure the personal data that you process or others process on your behalf without the necessary undertakings to stick to certain information security requirements; and
- incident response — you may struggle to respond to data breaches, leaks and other incidents quickly, comprehensively and effectively without the necessary paperwork to get help from your processors or sub-processors.
What to do next?
A controller often draws up a data processing agreement to make sure that a processor handles the controller’s data properly, but this need not be the case and there are benefits to a processor, or even a sub-processor, drawing up a DPA themselves.
If you can’t decide whether you’re a controller or processor, please see our article on who is responsible for data protection in your relationships.
So, whether you’re a controller, processor or sub-processor please:
- consider joining our Data Processing Relationship Programme (DPRP) or Data Protection Programme (which includes the DPRP as a satellite programme);
- complete our Online Data Processing Relationship Assessment to give us some insight into how you’re currently managing your data processing relationships and we’ll contact you with next steps; or
- complete the form on the right or enquire now and we will contact you to find out more about your requirements and give you a quote.