Helping Clients Comply With DPA Compliance
While Meeting Business Goals
As companies increasingly rely on a broad range of data processing types for their operations, ranging from internal human resources matters to targeted advertising and other marketing strategies, ensuring compliance with data privacy laws such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR) is paramount. Beyond consumer or otherwise public-facing components of a compliant privacy program, such as privacy policies, a key obligation imposed on businesses subject to these types of comprehensive privacy laws is implementing Data Processing Agreements, often referred to as “DPAs,” that meet certain regulatorily defined specifications.
Taking a step back helps to understand why a DPA is fundamental and foundational for ensuring privacy protections and guarding against reputational harm. Specifically, with the proliferation of digital processes and the global and often complex nature of data flows, there is an inherent risk of “data sprawl,” where there is a lack of awareness about what data is being processed and by whom, leading to a vastly increased chance of breach or abuse and an overall lack of respect of a individuals’ privacy rights. The data processing agreement plays a leading role in a robust privacy program as it outlines the roles, responsibilities, and scope of processing. DPAs, combined with data mapping and vendor risk assessments, ensure visibility, accountability, and security for the varying kinds of processing activities that an organization undertakes via vendors and, in particular, service providers. It is no surprise, then, that implementing DPAs is increasingly a requirement under many of the comprehensive privacy laws, such as California’s CCPA, as amended by the CPRA, among many others. This requirement is compounded in complexity due to the new privacy laws being passed regularly, resulting in the need to audit and regularly update existing DPAs and associated templates to ensure compliance with any additional language that may be required after a new law is passed.
Some of the key general components of DPAs include the following:
- The nature and purpose of processing;
- The type(s) of personal data to be processed by the vendor;
- The rights and responsibilities of the parties;
- The duration of and termination procedure concerning the processing;
- Ensuring both adequate technical and administrative safeguards in relation to the personal data processed, including as it relates to ensuring employees of the vendor, as well as any third parties, are required to maintain the confidentiality of the data;
- Ensuring that any subcontractors or other third parties that the vendor wishes to engage meet certain threshold criteria and potentially even require pre-approval or rights to object;
- Implement audit rights and procedures for exercising said audit, including as it relates to a demonstration of compliance; and
- Ensuring that the vendor and any of their subcontractors or third parties will assist with the deletion of data as well as any other privacy rights requests.
Beyond the general inclusions, as mentioned previously, states and countries have particular clauses that may have to be included in a DPA. For example, California’s CCPA, as amended by the CPRA, requires the following:
- Prohibition against service providers “selling” or “sharing” personal data;
- Specifying the business purpose of the processing;
- Prohibition against service providers from retaining, using, or disclosing personal data for their own purposes (subject to certain exceptions);
- Requiring the vendor to comply with the CCPA as amended by the CPRA;
- Granting audit and other rights to the business to ensure service providers’ compliance;
- Requiring notification if the service provider can no longer meet its obligations under the CCPA as amended by the CPRA; and
- Rights request compliance.
Additional key aspects of DPAs include indemnification and limitations of liability clauses and notification timelines concerning incidents and obligations in the event of a data breach. Further, in the international data transfer context, there are additional considerations ranging from standard contractual clauses (SCCs) and, more recently, the Data Privacy Framework (DPF).
At RICHT, we have counseled a broad range of clients, including startups and Fortune 500s, in drafting, reviewing, and negotiating DPAs tailored to meet the requirements of the ever-evolving legal frameworks both nationally and internationally. Our focus on privacy law and in-depth knowledge of the intricacies of privacy legislation enables us to provide comprehensive guidance on ensuring compliant DPAs that align with the specific obligations that correspond to each client-specific scenario. Whether it is a business or controller, vendor or processor, or some combination, we have the experience to understand how best to minimize risk in the context of data processing agreements while still meeting business goals.
Our Data Processing Agreement (DPA) Legal Services
Compliance Gap Analysis
DPA Review, Drafting, & Negotiation
DPA Playbooks