As a business if you’re dealing with another party (including another business) and personal data's involved, you may need a data processing agreement or data sharing agreement. Implementing these agreements is important for UK GDPR compliance and to help protect your business.
What's the difference?
A data processing agreement (DPA) is a written contract put in place between a controller and a processor. Typically, a business will engage a supplier which then acts as a processor of personal data. The agreement can be standalone but is often implemented as an addendum to the relevant main commercial agreement, for example a services agreement or a set of standard terms.
Crucially, when a controller engages a processor, it must be via a written contract which contains certain items prescribed by the UK GDPR.
A data sharing agreement (DSA) will typically be put in place between two controllers, either acting jointly or independently. A written agreement isn’t required under the UK GDPR but it is always advisable to put one in place to ensure responsibilities are clear and to help mitigate against legal risk.
What does a DSA contain?
These agreements will consider items required under the UK GDPR, including the subject matter, duration, nature and purpose of the processing, categories of personal data and types of data subject. It will also factor clear and express obligations on the processor in line with the UK GDPR and implement provisions governing recording keeping, audit rights, security, personal data breaches, data subject requests, direct marketing, subcontractors and data return and destruction It would also (ideally) provide an uncapped indemnity from the processor – processors are only liable for loss or damage suffered to data subjects/controllers in limited circumstances therefore a controller should seek a capped indemnity and satisfy themselves that the processor has sufficient insurance/assets to pay out should the controller ever seek to enforce the indemnity against the processor.
What does a DPA contain?
These agreement should express a purpose for why relevant personal data is shared and set out clear obligations on each controller as data sharer and data receiver. A DPA should also provide provisions governing quality, access, storage, retention, security, onward transfer and deletion of shared personal data and direct marketing (if relevant); and identify limitations and exclusions of liability and optionally an (uncapped) indemnity. Unlike the position with processors, under UK GDPR controllers are liable for the respective loss and damage they cause, so these provisions will typically be mutually negotiated as each controller is usually concerned to limit its liability under the contract.
What should I think about as a controller engaging a processor?
As a controller dealing with a processor, a crucial concern will be data security – essentially you will want the processor to apply the same security standards to the processed personal data as the controller does. You will also want control around onwards transfers of personal data or engagement of sub-processors by the processor. In addition, a controller will want to see that a processor has a good, demonstrated track record in respect of data protection compliance and ideally a dedicated data protection compliance team or individual within the business.
What should I think about as a processor being engaged by a controller?
The controller will likely be concerned about its potential liability position as set out above and many controllers will have ‘standard’ non-negotiable data processing agreements. Therefore, as a processor you’ll want to ensure you can comply with all obligations imposed on you under any processing agreement, for example that as a business you’re able to notify the controller of a personal data breach within 24 hours of becoming aware of it if that is what’s required under a processing agreement with a controller. If you’re relying on data protection insurance, you’ll want ensure your insurance cover reconciles with your liability under the processing agreement to mitigate against a shortfall, or even worse, the insurer not paying out what you expected that it would!
How can we help?
We can advise on the data sharing or processing relationships from a legal perspective, including identifying independent and joint controllers and data processors. We also have extensive experience in drafting, reviewing and negotiating both national and cross-border data processing and data sharing agreements on behalf of clients across a range of sectors.
Want to find out how we can support you with our FlamingoDP Subscription? Click here.
Rachael is a diamond and very intelligent. She has a lovely style and an efficient, commercial & more collaborative approach to advising clients. It's also reassuring to know that Rachael is a former litigator so you know you are getting all-round excellent commercially sound advice. Highly recommended!
Having negotiated against Alice personally, we were confident of her legal skills and commercial acumen. They immediately submersed themselves into our business, acting as an extension of our legal team. They worked incredibly hard, are friendly, approachable and above all could always be counted on to retain a sense of humour.”
Rachael is commercially focussed, and her investment in taking the time to get to know our business means she takes a pragmatic, human-centric approach to negotiations. She proactively gets her head around the particular priorities and constraints on each engagement, meaning she hits the ground running adding value while being able to move at pace.
“Plume is anything but your traditional law firm. We found the lawyers to not only be experts in their fields, but dedicated to understanding our business, which is so important to finding innovative solutions to the problems that we bring to them. Every single person I’ve met at Plume has been a delight to work with, and that just makes all the difference. I really do feel in very good hands working with Plume.”
It’s just the entire way that Plume does business. I’ve never felt forgotten, I’ve never felt that someone else is too important, everyone’s so nice and everyone puts in 100% of the effort. Working with Plume is a real pleasure.
Our favourite thing about working with Plume is it doesn’t feel like we’re working with a law firm but rather an extension of our own team. The lawyers have become so embedded in our business, so commercially focussed and so tuned to our risk appetite and way of working
The best thing about working with the Employment team is the prompt guidance and support they have given with sensitive and complex issues. They offer professional and diligent advice as well as being incredibly genuine and encouraging. It is reassuring to know they are on hand to help at all times.
Everyone internally has been incredibly impressed with your work and I'm sure we will want to continue working together long-term.
Plume is quite clearly the best law firm in the history of the universe. With trademark protections bestowed upon us by your godly lawyers, we'll be able to focus on what we do best.... developing awesome medical technology for the blind community.
Quickly understood my requirements, carried out a thorough review of the facts and produced a user-friendly reference document tailored to my business which demonstrated a strong grasp of the commercials. Take on was pain-free and everyone was friendly and responsive. Would recommend.
Excellent firm. Professional and ideal for start-ups.
The team have supported us with day-to-day and strategic legal advice throughout the year. We're grateful to them for stepping up to support us through this important milestone in MyTutor’s development and for their commitment in getting the deal over the line.
We currently use Plume for our small business and have had a great experience! They are knowledgeable, professional and answer in a timely fashion. Would recommend!
Great working with the folks at Plume. The quality of their work was top notch, their communication was effective and overall happy with the services provided.
You are without a doubt the COOLEST law firm ever, and we love working with you! <3
They're doing amazing stuff on social media and standing out from the crowd. This is a gold standard in disruption.
You are continuing to shape the legal industry to be more creative, compassionate, and (most significantly) human. Keep breaking down barriers - your reach is further than you may realize 🦩
The team have come on board to support MyTutor, a fast growing EdTech business which previously had no in-house legal resource. The team have made a hugely positive difference in a short space of time and we feel incredibly supported by the team, who offer a commercial, low fuss and highly responsive service
Plume are a wonderful, professional and caring law firm. The communication and attention to detail we received by them in dealing with our case was brilliant. I will definitely be using them again for future needs.
The team provided excellent leadership and support throughout our funding process. In particular, they provided comprehensive ownership and management of the close process for AccelerComm, providing excellent, professional guidance from start to finish and enabling AccelerComm to focus on growing core business growth