Table of Contents
Data processing agreements are vital and mandatory under the UK General Data Protection Regulation (UK GDPR). The UK GDPR prescribes strict rules around the processing of personal data of living individuals. A data processing agreement must be strictly compliant with the relevant legal rules. However, organisations often make various mistakes when entering these agreements. This article will explore common errors in UK data processing agreements and how to avoid them.
What Is a Data Processing Agreement?
A data processing agreement is an agreement between data controllers and data processors relating to data processing activities. Its purpose is to set out each party’s obligations for complying with data protection laws when they share personal data, specifically when a controller shares certain personal data with a processor for specific purposes.
A data controller is an organisation that decides how and why to process personal data. In contrast, a data processor has no control over the personal data. Instead, the processor processes personal data using the controller’s instructions.
Typically, this relationship applies in customer-to-supplier relationships. For instance, a customer shares staff personal data with a supplier to allow them to deliver their services under a particular commercial agreement.
Some of the obligations under a data processing agreement include the following:
- the data controller is obligated to use personal data only by following the controller’s instructions;
- obligations to keep personal data secure and confidential; and
- obligations to delete personal data at the end of the commercial relationship.
What Are Common Mistakes in A Data Processing Agreement?
There are several common mistakes which we often see in data processing agreements.
Here are some critical mistakes you should avoid when drafting these agreements:
1. The Agreement Does Not Include All Mandatory Terms.
The UK GDPR prescribes specific terms to include in this type of agreement. Article 28 of the UK GDPR sets out these terms.
Agreements that contain only some of the required terms are not UK GDPR compliant. It is vital to check that your agreement contains all the terms required by law. The law prescribes a long list of terms that must be included at minimum. However, some data processing agreements omit certain mandatory terms. For instance, some fail to address provisions around data sub-processing.
Understanding the mandatory terms and what you are signing up for is essential. If you are a processor and breach the terms of your data processing agreement, a controller could have various remedies against you. Further, you would also fall short of your legal obligations under the UK GDPR rules.
2. The Agreement Does Not Specify Which Personal Data Is Processed.
Your data processing agreements must be tailored and set out the data you are processing to comply with the UK GDPR.
Your agreements must state:
- information regarding the subject matter of the data processing;
- the duration of data processing;
- the nature and purposes of the data processing activities;
- the individuals whom you will process personal data about; and
- the types of personal data, e.g. names, email addresses, and telephone numbers.
Using a generic data processing agreement without this specific information will not be compliant. Some data processing agreements fail to state which types of personal data are processed specifically.
3. The Agreement References Incorrect Laws
The EU General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Following the UK’s withdrawal from the EU, this law was effectively adopted into UK law, and the transposed law is known as the UK GDPR. The UK Data Protection Act 2018 (DPA 2018) implemented and supplemented the UK GDPR in the UK.
The EU GDPR and UK GDPR, whilst considerably similar, are nonetheless different laws. The UK’s own data protection law regime may also be changing, with prospective new rules in the pipeline.
Many UK company data processing agreements still refer to ‘EU GDPR’. However, for UK businesses subject to UK laws, the UK GDPR and the DPA 2018 should be referenced in their data processing agreements. Referring to the EU GDPR means referring to the incorrect regulatory regime.
For some UK businesses that are also subject to the EU GDPR, their agreements may also need to reference the EU GDPR. However, UK businesses not subject to the EU GDPR rules should be careful and use the correct terminology.
This factsheet sets out how your business can become GDPR compliant.
Ensuring that your data processing agreement also refers to the correct laws and regulators is vital. In the UK, this is the UK Information Commissioner’s Office.
Businesses can need help understanding which legal rules apply to them. If you are still determining whether your business needs to comply with both the UK and EU GDPR, you should seek legal advice.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Why Is It Important to Get Data Processing Agreements Right?
These agreements are mandatory under the UK GDPR rules. Failing to comply with the UK GDPR has several consequences. For instance, penalties include enforcement action and fines.
In addition, compliance with data protection laws is vital to developing trust and fostering good data governance. Companies must invest time in understanding data processing agreements and ensuring their agreements comply with the UK GDPR rules.
Key Takeaways
These types of agreement are mandatory under the UK GDPR and must be drafted carefully and correctly. Your business should ensure that your agreement contains all the required compulsory terms under Article 28 of the UK GDPR. You should also ensure your agreements are specific and correctly specify the personal data processed for each project. Further, you should ensure that your agreement refers to the correct regulatory regime. These are common mistakes companies make in their data processing agreements.
If you need help with a data processing agreement, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
