As a data protection professional, you will often find yourself being part of large contractual negotiations, where you will be responsible for data processing agreement.
Therefore, please find below a few tips on how to prepare for a (re-) negotiation of data processing agreements to achieve the best possible outcome of these.
First of all, know the party on the other side of the table:
Understand the other party’s business model, and the services your organization is about to purchase from them. Knowing what may be critical to the other party, will give you a better understanding of what may be possible to achieve as part of the negotiation. Also, different types of vendors (SaaS, outsourced services, etc.) may have very different views on different matters, e.g. the right to on-site audits, limitations on use of sub-processers and more.
Align with your commercial / procurement team prior to the negotiations:
Know what your organisation want to achieve, make your commercial team understand the critical (non-negotiable) terms in your DPA, so that you have their support. Let them know, where your organisation has some flexibility. It’s important that your team is aligned and has defined your organisation’s boundaries. Sometimes, having the commercial lead – rather than you – stating that a data transfer admission is non-negotiable, can carry significant weight.
Understand your organisation’s data processing needs:
If you are the Controller, be crystal clear when defining the scope and objectives of the data processing activities under the contract. Clearly outline the data processing obligations of the processor. Fence in the personal data (data elements) they can and will be processing on your behalf.
Identify and assess the particular data protection risks that the master agreement may result in:
Consider the nature of the master agreement, the actual processing activities it will result in, and the sensitivity of the data. Let this directly define the requirements for processing, including the technical and organizational measures that the processor needs to abide by.
Consider the legal and regulatory environment, including for sub-processors:
Your entire data processing agreement may be undermined by access to your data by a sub-processor that is not able to provide the security and safeguards that you mandate. If you know that there are certain jurisdictions that won’t be acceptable for you, consider simply to prohibit use of sub-processors in these jurisdictions.
Define monitoring requirements:
Establish clear roles and responsibilities for both parties regarding rights and obligations, including who will be responsible for monitoring compliance with the agreement, conducting and participation in audits etc.
And last, but not least, establish clear requirements for data transfers:
Outline restrictions on the transfer of personal data to third parties, cf. above, and implement latest SCCs or other relevant data transfer mechanisms.
Nice post!