Speaking to DMA Academy students on privacy & data ethics recently, I spent a surprising amount of time talking about Data Processing Agreements. This led to thoughts on when to do a DPA, how they fit with your business and why I'm a little bit in love with them…

It’s been 8 years since I first encountered some of the tools which privacy professionals, legal and compliance folk reveal and manage data risk. Compared with my world of cookie banners, AdTech and social graphs of personal data, terms like Data Protection Impact Assessments (DPIA) seemed very dry, a classic ‘box-ticking’ exercise. 

As GDPR dawned I quickly realised my first impressions couldn’t have been more wrong, and have since become a big fan. Today I want to add Data Processing Agreements (DPA) to the mix, as the one of the most useful and revealing controls you can apply to your organisation as part of Business As Usual, beyond compliance. 

So what is a DPA? It’s like a pre-nup; setting the rules between two companies sharing personal data - when it begins, who owns what and next steps if and when the relationship has run its course. 

Each DPA is unique, but should address these common questions:

• What is the goal for which the data will be collected? 

• What personal data will be shared? 

• Where does this data end up? Will it leave the UK or European Economic Area? 

• What are the responsibilities of the Controller (who is driving the process) and the Processor (who executes it) - which of these are shared?

• How is this data secured and who has access?  

• What happens and who is liable if something goes wrong? 

More will crop up depending on the context and complexity but these form the core of what is a Terms of Service agreement for organisations’ most valuable asset, their data. If you’re in the UK, I also recommend doing the Cyber Essentials certification, vital if you market products or services to the public sector. 

While doing a number of DPA’s for clients while acting as their Data Protection Officer it’s striking how the process quickly brings in key stakeholders. Collaboratively answering the above questions can’t help but reveal how each business uses data, treats partners and members of the public who use their services. It’s a real privilege for me to guide them in this journey. 

A recent example is Contactzilla, who offer a simple yet elegant SaaS (Software as a Service) product for businesses to sync and manage contacts across different departments, sites and on the road. Based in Canada, they’ve been winning new clients worldwide; the most recent being a chain of dental practices in Switzerland. 

As part of the onboarding process we tailored a DPA to reflect this new relationship across multiple jurisdictions for international data transfers (EU, Switzerland, UK and Canada), in partnership with the client’s compliance team.  

A number of templates are available to use as a starting point for your DPA from the EU and IAPP, while live examples from large organisations like Hubspot and UK have been shared as a common resource. Like DPIA’s, over time I’ve built my own templates and enjoy nerdily sharing these with other privacy professionals in my network, feeding in learnings we can all apply to clients. This is one of the major things I value in IAPP membership and the community they support.  

DPA’s should be living documents which link between an organisation’s Terms of Business and Privacy Policy and will change as new regulations come into force, for example around international data transfers. Just as in my case study for Privacy Assessments at Swash, the process of working on this DPA helped Contactzilla in a wider sense as the company plans to launch new cross-platform functions to all users later this year. 

Finally, as more businesses move from experimentation to serious application of AI across their activities, getting the ‘basics’ right around the data which fuels and tests algorithms is more important than ever. Analysing the life cycle of data, transparency on the actors and clarity around risk is at the heart of the governance required as AI scales to production worldwide, and the same questions as to ‘what, why and how?’ should apply as privacy professionals ourselves adapt to this sweeping new technology.