In our previous post, we discussed specific considerations for common boilerplate provisions in data processing agreements (DPAs). Due to the sensitivity of data transfers and privacy laws, DPAs require careful drafting to ensure the data processor complies with appropriate privacy obligations and is responsible for any non-compliance.
This post takes a closer look at DPA-specific obligations relating to the data processing itself. Aside from the changes to general boilerplate provisions, DPAs should address the scope of the data transfer, obligations regarding the authority to process the data, as well as specific obligations surrounding the security measures to be taken by the processor, both preventatively and in the event of a security incident.
This post will outline several key provisions in DPAs, their function, and their importance in ensuring data protection:
• Scope of the DPA
• Authority to process data
• Security controls, breaches and incidents
Scope of the DPA
Data controllers should define the concepts of personal information and/or company data, where relevant, as widely as possible when drafting DPAs. This ensures the data processor’s obligations under the DPA extend to all data transferred as part of the service agreement, regardless of its origin. This includes data provided directly by the data controller or by another data processor as part of the agreement.
Data controllers should broaden the definition of personal information/company data to maximize data protection. The DPA should account for different sector-specific regimes’ definitions of personal information. Data controllers should account for both their own and their end users’ confidential information in this definition.
When drafting a DPA, data controllers should carefully map what kind of data is expected to be provided to the data processor. This mapping exercise ensures the DPA appropriately covers the different data, and can also be used by the data controller to consider whether any specific obligations should apply to more sensitive data, such as personal health information.
Authority to Process Data
Depending on the sensitivity of the data, data controllers should consider restricting which of the data processor’s personnel are authorized to handle the data for the specified business purposes under the service agreement. As a best practice, data controller’s data should only be available to data processor personnel on a need-to-know basis, subject to the specific job roles required to provide processing services. Due to the increased probability of misuse of sensitive data when the number of individuals accessing the data increases, this allows the data controller to mitigate the risk of its data being exposed or misused.
DPAs should also restrict the data processor’s actual use of the data to actions required for the business purpose in the service agreement and clearly state that the processor has no ownership rights or interest in the data. Further, the data controller should ensure data processors cannot use data provided for artificial intelligence development or other purposes for their own benefit.
DPAs may also include provisions stating that data processors may only use the data subject to the data controller’s written instructions. This can add an additional protection by allowing the data controller to take an active role in prescribing data uses for the data processor and helps to facilitate compliance with its own record-keeping, notice, and other data-protection requirements.
Finally, DPAs should place restrictions on subcontracting. This can include a complete prohibition from subcontracting out the data processing work or require the data controller’s consent for any subcontracting for very limited purposes.
DPAs should be drafted to ensure the data controller has the final say in how the data is processed, minimizing the risk of misuse, loss, or security breaches. It is prudent for data controllers to limit who has authority to process confidential data due to the increased probability of misuse of sensitive data when the number of individuals accessing the data increases.
Security Controls and Security Breaches/Incidents
Privacy laws may impose notice requirements, remediation obligations and penalties on data controllers for privacy breaches. Thus, establishing clear sets of obligations for data processors in the case of a security breach can allow data controllers to meet their own legal obligations.
Data controllers should expand the DPA provisions for security breach obligations to include any security incident or misuse of the data by the data processor or its personnel. This obligation should include both real and suspected incidents as this allows for mitigation efforts to be deployed early on by the data controller rather than waiting for a confirmation of a security incident, which can take several weeks depending on the complexity of the required forensic investigation.
Data controllers should include security control provisions in the DPA setting out the steps to be taken by a data processor to secure sensitive data and respond to data incidents. Depending on the nature and sensitivity of the data, data controllers may lay out more specific steps to be taken before or after a security incident. Furthermore, notification timeframes should be agreed upon in the DPA, generally ranging from 24 to 48 hours. When determining the data processor’s notification timeframe, data controllers should consider the time they require to meet their own notification requirements.
The level of detail provided in the DPA regarding security controls can be scaled depending on the sensitivity of the data provided to the data processor. DPAs involving less sensitive data may limit themselves to general obligations of ensuring confidentiality and integrity of the data, while data controllers should consider providing more detailed obligations to be respected by the data processor when the data is very sensitive. This language may also be influenced by the data controller’s own obligations to its other contractual partners, to ensure a chain of compliance.
Data controllers should ensure data processors are obligated to follow adequate security measures and ensure the DPA covers a broad range of incidents.
DPAs have unique provisions directly relating to processing the data controller’s data. These provisions are vital for achieving the purpose of the DPA and ensuring data protection and security protocol obligations are transferred to the data processor. In conjunction with the clauses listed in our last post, data controllers should consider these points when drafting DPAs to properly protect themselves.
Read part 1 here.