PRACTICALITIES OF A DPA

31 July 2018

• personal data
• data privacy
• ICO
• Solicitors Liverpool
• GDPR liverpool
• Data Processor
• Data controller
• Data processing agreement
• data subject
• data auditing
• DPA
• controller-processor agreement

Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

However, data controllers need to be able to assess processors regularly, usually through an audit. Although, Microsoft do offer risk assessment tools including audit reports that will allow efficient evaluations, other companies do not. Therefore, instead of conducting an audit, a data controller can conduct yearly checks on security certifications, and privacy statements, in order to assess the efficiency of the data processor.

The ICO has recommended guidance on their website, including a data controller and data processor contract check list, which should include:

• The subject matter and duration of the processing.
• The nature and purpose of the processing.
• The type of personal data and categories of data subject.
• The obligations and rights of the controller.

The ICO also has further information on the conditions of the contract, including: compulsory terms, good practice, as well as the processor’s responsibility and liability:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

In order to find a data processing agreement that works for your business, it is important for a data controller to find a data processor that fits the company requirements, as unfortunately it is not possible for every single organisation to have their preferred conditions introduced in to a contract.