If modern businesses and consumers were in a relationship, it'd be a pretty dysfunctional one, with one party having a wandering eye while the other had serious trust issues. In a KPMG survey about data collection by businesses, as many as 86% of consumers expressed concern over data privacy and 40% said they didn't trust businesses to use their data ethically.
Clearly, there's a serious trust deficit. But data processing agreements (DPAs) can help you bridge that trust gap with your consumers. In this article, you'll learn about the privacy regulations to watch out for in 2023, the importance of DPAs to privacy laws, and the key elements of DPAs.
What Is a Data Processing Agreement?
Many countries around the world have laws to safeguard the privacy of their citizens because violations may affect their human rights. Since personal data collected by businesses can breach privacy, several data protection laws exist to protect such personal data.
A data processing agreement is a legal document to ensure that the data processing adheres to these laws. But who are the parties involved in the agreement?
Let's understand some key terms first. When you give your name and address to a website or a paper-based survey, you are a "data subject" whose privacy and rights must be protected. The website or surveyor is a "data controller" because it decides how to process your personal data. Any third-party services it uses, like a cloud service provider or a data center to store your data, is a "sub-processor."
A DPA is usually between a data controller and a data processor. But it may also be between a data subject and controller, or between a data processor and a sub-processor. To truly understand the need for DPAs, let's look at some non-compliance cases from 2022.
What Can We Learn From Non-Compliance Cases of 2022?
2022 saw the second-highest fine ever, over $400 million, for non-compliance with General Data Protection Regulation (GDPR) in Europe. A social media company you may have heard of got fined for not taking the consent of their users.
Nothing new there, but it wasn't just the usual suspects. A non-profit that fights against disinformation — yes, the good guys! — was fined for revealing personal data while trying to prove the credibility of their evidence.
Over in the United States, the California Consumer Privacy Act (CCPA) claimed a beauty brand as its first victim for sharing personal data of its consumers with ad networks.
These examples show that a business can easily and inadvertently run afoul of privacy laws. Attention to privacy concerns is essential in even the simplest work task. The landscape will only get more complex in 2023.
Is Your Business Ready for Data Protection in 2023?
Let's go over some of the new laws and changes you can expect in 2023.
In the U.S., 2023 will see some new state privacy laws and changes to some existing laws that must reflect in your data processing agreements:
- California Privacy Rights Act (CPRA): Effective January 1, 2023, CPRA's amendments to the CCPA grants two new rights to consumers in California.
- Virginia Consumer Data Protection Act (VCDPA): From January 1, 2023, any business processing personal data of 25,000 or more Virginia residents may be subject to the VCDPA.
- Colorado Privacy Act (CPA): Effective July 1, 2023, any business holding personal data of 25,000 or more Colorado residents may be subject to the CPA.
- Connecticut Senate Bill No. 6: Starting July 1, 2023, this act regulates the personal data privacy and online monitoring of Connecticut residents.
- Utah Consumer Privacy Act (UCPA): As of December 31, 2023, any business with personal data of 25,000 or more Utah residents may be subject to the UCPA.
Plus, applicable data protection laws at the federal level too — like the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry and the Gramm-Leach-Bliley Act in the financial industry — influence data processing agreements. HIPAA calls them data use agreements.
If you have users in Canada, you may see extensive changes due to the Consumer Privacy Protection Act, Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
There are no significant changes to the GDPR that apply in the European Union (EU) and European Economic Area (EEA) or to any EU member state laws.
However, Switzerland, which is neither in the EU nor the EEA, will bring the GDPR-like New Federal Act on Data Protection into effect starting September 1, 2023. Swiss companies must incorporate its principles into their data processing agreements.
In the United Kingdom, the GDPR and the Data Protection Act 2018 continue to apply. But keep an eye on the Retained EU Law Revocation and Reform Bill that may revoke both, and the Data Protection and Digital Information Bill that may replace them.
Key Elements of a Data Processing Agreement
A DPA is often included as an addendum to the primary contract between the data controller and the service provider. Though every DPA has specific clauses to conform to relevant governing laws, they all share some common elements.
1. Restrictions on the Nature and Use of Data
A DPA weaves principles like consent, accountability, and responsibility into all data processing activities. By setting up a legal basis for data processors to follow, it ensures the protection of personal data.
One aspect of this legal framework is the categories of data subjects it covers, like end users, customers, employees, contractors, or vendors.
Another aspect is transparency on the subject matter of the data, the nature of the processing, and the duration of the processing. It narrows down the categories of personal data or customer data that can be processed, like contact information, addresses, or the data required for functionality.
In addition, laws like GDPR give data subjects the right to request the data stored about them. Such data subject requests must be addressed sincerely without delays, and a DPA ensures the data processors do so.
2. Data Privacy Measures
The case studies above showed us that privacy can be subtle. People may inadvertently violate it while routinely working on personal data. So a good DPA must define the expected outcomes of privacy protection clearly to all stakeholders. What constitutes sensitive data or confidential information? What kind of processing is allowed on such personal data and what's not? Attention to detail is essential in a DPA.
What if the information is too sensitive? Under GDPR, if the processing of personal data carries high risks to the rights of some natural persons, the data controller must conduct a data protection impact assessment first. They must consult the data protection officer and the supervisory authority. During such assessments and consulting, a DPA ensures that data processors and sub-processors provide reasonable assistance.
3. Data Security Measures
Another responsibility of a DPA is to translate all the legal requirements into concrete actions. It defines the organizational measures and security measures that controllers, processors, and sub-processors must implement and monitor to achieve the legal principles in spirit and on paper.
Organizational measures include tasks like defining the implementing roles and their responsibilities, the reporting hierarchy, and the process for appointing a data protection officer or equivalent.
A DPA recommends information security measures like:
- Anonymize personal and customer data.
- Use strong authentication and authorization policies.
- Encrypt data at rest (when stored), in motion (over the network), or in use (during processing).
- Maintain records of processing activities.
- Conduct regular risk assessments.
- Service organization control 2 (SOC 2)
- Payment card industry data security standard (PCI DSS)
- International Organization for Standardization's ISO 27001
4. Data Retention Policies
A common cause of data breaches is just simple negligence. Without proper policies for storage and monitoring, personal data simply gets hoarded and forgotten over time till some malicious actor accesses and misuses them.
A DPA pre-empts this through well-defined policies for storage, retention, deletion, and monitoring. Laws like GDPR grant data subject rights like requesting the deletion of their data. A DPA makes sure that such requests are addressed by the data processors and all further processing of such personal data is stopped.
5. Data Breach Reporting
A personal data breach is a security breach that results in unlawful access, loss, alteration, or disclosure of personal data during processing, network transmission, or storage.
Since a breach can expose sensitive data and endanger the rights of victims, a DPA ensures that the affected data processor notifies the data controller without undue delay, and the controller in turn notifies the affected data subjects and the data protection authorities.
6. Data Transfer and Residency Policies
Data transfers and data residency (i.e., where the data is stored) have come under scrutiny in many countries, motivated by their responsibility to protect their citizens' rights, sovereignty over their data, geopolitical strategies, and national security goals. To ensure compliance with the residency and transfer laws at both ends of a transfer, a DPA provides a legal basis for data flows between data exporters and data importers.
For example, under GDPR, a set of standard contractual clauses (SCCs) protect the personal data sent outside the European Economic Area to the same extent as GDPR does within the EEA.
7. Penalties for Non-Compliance
A DPA defines the penalties, compensations, fines, and legal remedies in case a data processor or sub-processor is not complying with the data privacy and protection terms of relevant laws.
For example, GDPR's article 83 empowers the competent supervisory authority to impose fines of up to 20 million euros or 4% of the business's annual turnover. To avoid them or forward them to a responsible sub-processor, a DPA defines penalties according to an entity's responsibilities.