Data Processing Agreements (DPAs) – More than a UK GDPR guarantee

In one of our earlier blogs, we looked at the roles of the Data Controller and Data Processor. 

As a brief reminder the data controller legally owns the personal data, decides how personal data can be used and how it is stored, while the data processor acts on behalf of the data controller. The processor makes no decisions of their own but simply acts on the controller’s instructions. 

A data processing agreement (DPA) is an agreement between the data controller and any data processors such as a third-party service provider (e.g., IT supplier, accountant, HR specialist, web developer). The DPA is a key part of compliance with the UK GDPR and relevant other data protection legislation. It lays out the technical and organisational requirements for the controller and processor to follow when handling personal data. This includes setting terms for how data is stored, protected, processed, accessed, and used. The agreement should also define exactly what a data processor can and cannot do with the data provided by the data controller. 

Another area that may need to be considered by processors is having DPAs in place with anyone they subcontract work to. In short if a data controller outsources any part of their work that involves personal data leaving their direct supervision, then a DPA needs to be in place. That includes email clients, scheduling software and telemarketers.

With many organisations shifting their I.T. into the cloud, to accommodate home working and save money on updating hardware. All data processing agreements will need to be updated as part of any move to a cloud service to ensure that data subjects (those whose personal data is held) are still able to exercise their rights. 

The ICO (Information Commissioners Office) have published a paper on understanding data protection in the cloud. They emphasise the need for data protection agreements to be signed by all parties who may have access to the data held on an organisation’s clients. Review of any service changes would then fall within the annual data protection audit recommended by the ICO, that all organisations should undertake, to make sure that the protections in place reflect any updates in software or hardware that may affect access security or storage of person data.

Many people are relying on the often-contradictory advice to be found online to interpret their data protection obligations. Some of the ‘free’ advice and online templates widely available, that include DPA templates, miss a lot of the legal requirements of the DPA out whilst still referring to old data protection legislation, such as the EU GDPR, which was superseded in 2021 by the UK GDPR.

Getting clear straightforward advice from professionals who undertake regular certification training and who understand the latest personal data protection legislation can save an organisation time, money, and loss of reputation. 

CSRB will help you manage and protect personal data responsibly while taking the jargon out of the process. Contact us here or call 0117 325 0830 to learn more about how we can bring clarity to your data management processes