Steps to GDPR Compliance: Data Processing Agreements (DPAs)
Post number 10/12 in HireRight's "Steps to GDPR Compliance" blog series discusses data processing agreements (or DPAs), including what they are and why they are needed.
Step 10 – DPAs – As Easy as 1-2-3…..?
With just under 50 days to go before the GDPR comes into force, most data controller organisations are starting to send out Data Processing Agreements (DPAs) to their processors. But what is a DPA and why is it needed?
What is a DPA and why do we need them?
A DPA is an agreement entered into between the data controller and data processor which evidences that the data processor is complying with relevant requirements under the GDPR. However, most contracts between parties that have any nexus to the processing of personal data will already contain provisions relating to that processing.
So why is a new, or updated, document required?
In short, the GDPR requires it. Under current laws, the only defined obligation of a data processor is to comply with the 7th processing principle: to ensure adequate security and technical measures are in place. Usually, contracts will also contain an obligation for the data processor to process data only in accordance with the data controller’s instructions.
However, under the GDPR, the contract requirements are wider and no longer confined to recording adherence with the 7th processing principle. The GDPR envisages that DPAs will ensure, and demonstrate, compliance with all applicable GDPR requirements.
To those outside of the contractual relationship, including any Supervisory Authority, the DPA shows that both the data controller and data processor are:
Aware of and committed to complying with the GDPR;
Protecting the personal data of customers, staff, and others (as may be applicable); and
Clear about their respective roles concerning the personal data that is being processed.
What do DPAs have to include?
The GDPR sets out that DPAs must include:
The subject matter and duration of any processing;
The nature and purpose of the processing;
The type of personal data and categories of data subject; and
The obligations and rights of the data controller.
In respect to the first three bullet points, these are usually dealt with in schedules; and in context of pre-employment screening, these points would include reference to the type of data being processed as part of the verification process, such as education, employment, credit, and criminal history.
A DPA should also include terms holding the data processor to its obligations under Article 28 of the GDPR. These minimum terms require a data processor to:
Act only on the written instructions of the data controller;
Ensure that any person processing personal data does so in a confidential manner;
Take appropriate measures to ensure the security of processing;
Engage sub-processors only where the data controller has already consented (note that it is possible to include reference to any previous consents obtained within the DPA);
Help the data controller in managing subject access requests and other rights of data subjects;
Assist the data controller in meeting its GDPR obligations in relation to:
The security of processing;
The notification of personal data breaches; and
Data protection impact assessments;
Delete or return all personal data to the data controller as requested at the end of the contract;
Submit to audits and inspections and provide to the data controller the information required to ensure both data controller and data processor are meeting their Article 28 obligations; and
Tell the data controller immediately if it is asked to do something infringing the GDPR or other data protection laws of the EU or a member state.
What is HireRight doing?
Unlike with data transfer agreements (e.g., EU model clause agreements), the EU Commission is yet to provide a standard DPA template for use by data controllers.
Further to this, the introduction of new requirements, such as DPAs, presents intertwined challenges for processors, including:
The logistics of managing such a change across multiple customer/data controller requirements and forms; and
Consistency of approach – i.e., if the idea of the DPA is to show that a data processor is assuring GDPR compliance, signing multiple differing DPAs for different controllers may undermine this objective for both parties.
As such, for the past months, HireRight has been engaged in reviewing the merits of introducing a HireRight standard form DPA. HireRight has determined that using such a document will help demonstrate (to the benefit of both processor and controller alike) to any supervisory authority that we are holding ourselves to the same standards across all clients and that privacy is embedded into our organisation.
In respect of the template to be used, HireRight made the decision to use the Article 28 Working Party draft made available earlier this year, with just a couple of amendments to take into account our unique services. In the absence of an official standard, we believe this is the correct template to use and that it is likely to (a) become the industry standard; and (b) be acceptable to any Supervisory Authority. As such, HireRight will be sending our standard form DPA to current EU clients within the next 2-3 weeks.
When a data controller engages a third-party service provider to process personal data, there are at least two important things for them to consider:
That the third-party processor is prepared to offer assurances with respect to compliance obligations under GDPR; and
That the third-party processor takes a consistent approach to those compliance obligations.
By using the Article 28 Working Party DPA template, as HireRight has done, it is possible to show that both the data controller and data processor understand their obligations and responsibilities.
Release Date: April 11, 2018
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.