In the first blog of my data protection series, I will look at data processing agreements (DPAs), what they are and why they are an essential part of how businesses, when acting as data controllers, engage with third party data processors.
What are DPAs?
DPAs govern how organisations share personal data with other organisations, who ultimately do something with the personal data for them.
A classic example is when a business (X) engages with a firm of Accountants (Y) to undertake their payroll. In order for Y to do that, X must share employee information with Y, for example, employee names, bank details, salaries and so on.
Before doing this, X is obliged to not only perform due diligence on Y to make sure they can guarantee the safety of the personal data they share with them for payroll purposes but also to ensure that the processor Y is subject to several other conditions of processing which the General Data Protection Regulation (UK GDPR) requires.
Such conditions are contained in a written DPA, which both parties sign up to and abide by during the course of their relationship.
Why are DPAs important?
Firstly, because it is a legal requirement under Article 28 of the UK GDPR to have DPAs in place with organisations that process personal data on your behalf.
Secondly, all organisations must have data protection at the forefront of their processing activities to ensure that the data they collect, store, share and use in their day-to-day activities is kept safe to the benefit of their staff, third parties and other data subjects they engage with. Controllers (i.e. the bodies sharing the data) are ultimately liable if they share the data incorrectly or in breach of the UK GDPR and can be fined in that capacity by the ICO. Processors can also be fined. Fines can be up to £8.7 million or up to 2% of total annual worldwide turnover for any breach of certain UK GDPR obligations.
Failure to have a DPA in place attracts the risk of enforcement action, fines, and ultimately reputational damage if data is shared illegally or not in the spirit of the UK GDPR’s main objectives to process data lawfully, fairly and transparently.
What should we include in a DPA?
Article 28 of the UK GDPR establishes specific requirements for engaging processors which can be included in a DPA. For example, details of what data is being shared, why and for how long. The DPA must also stipulate that the processor before sharing can take place, has implemented appropriate technical and organisational measures to protect it and written confirmation that they will only process it on the controller’s instructions and not share it with anyone else.
The DPA can be written within a commercial contract or can be drafted as a standalone agreement.
We do not have any DPAs in place, what should we do?
We would advise you to review the data processing activity with a view to implementing a DPA as soon as possible. If you need advice on how to draft the DPA, how to approach the subject with the processor or controller, or what to do if you think you have breached an existing DPA, please get in touch.