As data protection professionals, we are often involved in large contract negotiations where we are responsible for data processing agreements.
Therefore, here are some tips on how to prepare to (renegotiate) your Data Processing Agreement to get the best possible outcome.
First, know the party on the other side of the table.
Understand their business model and the services your organization is looking to purchase. Knowing what is important to the other party will give you a better understanding of what can be achieved as part of the negotiation. Also, different types of vendors (SaaS, outsourced services, etc.) may have very different views on various matters such as on-site audit rights, sub-his processor usage limits, etc.
Coordinate with the commercial/procurement team prior to negotiation.
Understand what your organization wants to achieve, make sure your sales team understands the key (non-negotiable) terms of the DPA, and get their support. Let them know that your organization has some flexibility. It’s important for teams to work together and define organizational boundaries. In some cases, taking the commercial initiative rather than you and stating that data transfer permissions are non-negotiable can carry considerable weight.
Understand your organization’s data processing needs.
If you are a controller, clearly define the scope and purpose of your contractual data processing activities. Clearly outline the data processing obligations of the Processor. Enclose the personal data (data elements) they can and will process on your behalf.
Identify and assess the specific data protection risks that a master agreement may pose.
Consider the nature of the master contract, the actual processing activity it entails, and the sensitivity of your data. This allows you to directly define your processing requirements, including the technical and organizational measures that processors must comply with.
Consider the legal and regulatory environment, including sub-processors.
The entire data processing agreement may be compromised by access to data by sub-processors who are unable to provide security and safeguards mandated by the customer. If you know that there are certain jurisdictions that are unacceptable, consider simply prohibiting the use of subprocessors in those jurisdictions.
Define your monitoring requirements.
Establish clear roles and responsibilities for both parties in terms of rights and obligations. This includes those responsible for monitoring compliance with contracts, conducting and participating in audits, etc.
Finally, establish clear requirements for data transfer.
Overview of restrictions on transfers of personal data to third parties. Implementing the above, and latest his SCC or other relevant data transfer mechanism.