A DPA will generally cover the scope and purpose of data processing, what data will be processed, how the data will be protected, and the relationship between the data controller and the data processor. Under the GDPR, DPAs must include particular details, including information about:
-
the processing itself - including the types of personal data being processed, what activities are involved in data processing, how the personal data will be used, how long data will be processed for, how and where the data will be stored and the personnel responsible for ensuring GDPR compliance
-
the responsibilities of the data controller - the data controller needs to establish a lawful basis for processing personal data and must ensure that the rights of individuals are complied with. The data controller is also responsible for determining how the data processor is to process the data
-
the responsibilities of the data processor - under the GDPR, data processors have many responsibilities, including maintaining information security, cooperating with authorities (like the Information Commissioner's Office, also known as the ‘ICO’) in the event of an enquiry, reporting data breaches, detailed record-keeping and deletion or return of data at the end of the contract
-
any technical and organisational requirements - under the GDPR data controllers and processors need to consider how the state of the art technology, the costs of implementation, and variances in personal freedoms affect their ability to ensure ongoing data security. This includes considering and setting out how data will be encrypted, accessed, and tested and determining if both parties can ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Where the data processor intends to rely on sub-processors, the DPA should outline such sub-contratual relationships. The data processor generally needs written consent from the data controller to use sub-processors, which must ensure data protection and GDPR-compliance.