Data processing virtually never happens in a vacuum by only one organisation. There are usually many organisations involved and managing data processing relationships is important. Virtually every organisation makes use of a processor (a third party vendor or service provider) to do something and that something often involves processing personal data for them. If someone processes personal data on your organisation’s behalf, you need to manage your relationship with them to ensure that both you and the processor are protecting the personal data sufficiently and in line with the relevant data protection laws. One way to manage these relationships is through a data processing agreement but there are other ways too.

It just makes sense to have some paperwork in place to make sure that everyone is doing things properly. Especially where you’re sharing personal data that your data subjects have entrusted you with, with another party.

Sometimes your processors might be in a different country to you, and as a result, the relationship involves transferring data across borders. These two topics can, therefore, be closely related. Some people call this vendor risk management or third party management but we prefer to call it managing data processing relationships because often one organisation can perform many roles – they can be a controller, joint controller, processor and sub-processor in the context of different activities. Vendor risk management is much broader than just data protection. 

How we can help you with managing data processing relationships

We set out two options for you to choose from, below. The options complement each other and you might switch options as you go along.

Know how to draft and implement data protection compliant contracts and SLAs by joining the Michalsons data protection programme and working through the managing data processing relationships module. Our programme empowers you to draft your own data processing agreement and highlights the relevant factors you need to take into account when managing your processor relationships. We also provide practical guidance through webinars and written content.

Empower yourself to find the right vendor risk management software for your organisation by joining our programme and working through our data protection software module.

  1. Work out what role you play in your relationships where you process personal data together with another organisation by doing a Data Protection Responsibility Assessment.
  2. If you’re a controller, processor or sub-processor, manage your relationship contractually by asking Michalsons to help you with a data processing agreement.
  3. If you’re a responsible party, operator or sub-operator, manage your relationship contractually by asking Michalsons to help you with an operator agreement.
  4. If you are a joint controller (or joint responsible party) with another organisation, agree who is accountable for which aspects of data protection law by asking Michalsons to draft a joint control agreement for you.
  5. If you are a controller and share personal data with another controller, manage your risks and do it lawfully by asking Michalsons to draft a data-sharing agreement for you.
  6. Identify the right vendor risk management software (an aspect of a privacy management platform) for your organisation by asking us to consult with you, give you demos, workshop the options and make a recommendation.

You can always request this option alongside the first one. If you are interested, please complete the form on the right or enquire now.

Our Experience

We have:

  • reviewed and helped negotiate over 40 data processing agreements for a high-growth technology SME in the telecommunications space;
  • helped IT services, retail and field sales clients maintain their data processing relationships by drafting and advising on data processing agreements generally and how they are required by law;
  • provided advice on specific pain points encountered when negotiating data processing agreements.

Our Clients

We have done work for clients in various countries across the globe, including multinationals. They include service providers, customers, resellers, marketers, developers, publishers, financial institutions, financial advisors, insurers, the media, industry bodies, and many others.

How you Benefit

  • Protect your organisation and the personal information you process by concluding a data processing agreement with your processors.
  • Lawfully transfer data across borders by understanding your obligations and responsibilities when using offshore processors. 
  • Reduce the risks of a dispute between yourself and your processors by clearly setting out what is expected of each party when it comes to processing personal information. 
  • Reduce your legal costs by managing your contracts yourself, with our guidance.