A GDPR data processing agreement is a contract that is required between data controllers and data processors that ensures that each is appropriately handling personal data. A data controller is a person who owns the personal data, for example, a business that has collected client information. A data processor is someone who uses the data for them, for example, to create and send marketing emails.
If you are asking whether you need a data processing agreement, the chances are you probably do. While the GDPR requires that you have an agreement between data controllers and processors in place, it also makes sense to have a contract that protects both parties.
GDPR sets out many minimal requirements which ensure that a series of checks and balances protect data subjects. These are primarily between the data controller and data processor and offer a significant amount of protection for everyone involved.
Aside from protecting the data controller if any data is mishandled, a data processing agreement should also stipulate that they have used due diligence in their selection of a data handler.
As a result of some of the requirements in the contract that data controllers must only give companies or individuals access to their data if they are credible and capable.
An example of this might be if you hired a marketing agency to run an email campaign. A credible and capable handler would only use your data on your campaign, while someone less credible might be less trustworthy with the information you share with them. Putting an agreement in place makes sure that they are also GDPR compliant.
Another example may be a parking company that manages the ANPR system to capture plates, then passes your plate data to the owner of the carpark to manage parking enforcement. The plate is passed to DVLA to get the owner details., and the parking enforcement team, then have access to customers information.
A data processing agreement also protects you should the worst happen and you experience a data breach and shows that you have put measures in place to protect your data subjects. So, for example, if you use a third-party service to take online payments and they suffer a breach, a data processing agreement would go some way to showing that you had taken steps to be GDPR compliant.
6SGlobal recommends that businesses of all sizes, even the smallest, should make sure that all of their data processing agreements are fit for purpose. If you require expert help, we also recommend implementing a GDPR Maturity Assessment to assess the security of your data.