Should a Data Processing Agreement Be Bespoke for All My Customers?

A data processing agreement (DPA) is a contractual document between a data controller and a data processor. A DPA sets out mandatory legal rules around how a processor must handle personal data on behalf of the controller. DPAs are crucial for ensuring UK GDPR compliance when sharing personal data. Suppliers using DPAs will work with various customers. As such, it is essential to consider whether a DPA needs to be tailored and bespoke for each customer. This article will explore whether a DPA should be bespoke for all customers. 

When Do I Need a Data Processing Agreement? 

Under the UK General Data Protection Regulation (UK GDPR), strict rules govern the sharing of personal data with third parties. If your business handles personal information, you will typically fall into being either a data ‘controller’ or a data ‘processor’:

• a data controller is an individual or organisation responsible for determining how and why personal data is collected and used; and
• a data processor is a separate entity or organisation that processes personal data on behalf of the controller by following their strict instructions.

A DPA is a legal requirement for both controllers and processors, where a processor processes personal data on behalf of a controller. It is necessary to outline each party’s responsibilities under the UK GDPR and ensure the continual safeguarding of the personal data shared between parties.

Under the UK GDPR, DPAs include explicit provisions and descriptions of the personal data being processed and outlining the controller’s obligations and rights.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

A DPA is necessary if a controller shares personal data with third-party suppliers who will process it on their behalf. As such, DPAs are vital documents for businesses acting as suppliers who process personal data on behalf of their customers. 

Should a Data Processing Agreement Be Bespoke?

As explored below, whether a DPA should be bespoke will depend on your business activities and how you process personal data on behalf of customers. 

Some considerations include the following:

1. Offering The Same Service to All Controller Customers

If your business offers all customers the same (one to many) service with no differences whatsoever, you could adopt one standard DPA for all customers. 

For instance, this could apply to a SAAS provider who simultaneously provides software services to hundreds of customers, processing the same personal data in the same way for every customer. In such a case, your business could use the same DPA for all customers without specific customisation – so long as the DPA accurately reflects how you will use their data and why. 

2. Offering Bespoke Services to Controller Customers 

In contrast, if your business offers different services to customers and uses personal data differently, you may need to enter into a bespoke or customised DPA for customers. 

For instance, your business may deliver PR services to various clients. Some clients may provide you with sensitive or special-category personal data, whereas others may only provide you with basic and low-risk personal data, such as staff contact details.

Some clients may agree that your business should work with third-party subcontractors who will access their personal data, whereas others may disagree. 

In such cases, you must tailor your DPA agreements to the specific circumstances and data processing arrangements you have agreed with particular customers. Your agreements must be tailored to the customer’s requirements and data processing instructions.

3. Specific Customer Requests 

There are likely to be occasions when particular customers request bespoke DPAs or at least seek to negotiate key provisions to protect their personal data. This may be because a customer is particularly concerned about how a third party handles their personal data. 

For instance, savvy controller customers may request bespoke terms, for instance:

• a data protection indemnity is a promise by one party (the indemnifying party) to pay the other party (the indemnified party) for a specific loss they suffer if a contractual trigger event occurs. Customers may request an indemnity whereby your business compensates them for any losses they suffer for breaching data protection laws; and
• the UK GDPR states that a controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to protect personal data. This ensures that the processor’s processing will safeguard data subject rights. As such, some customers will seek to negotiate detailed security measures in DPAs. For instance, contractual assurances around the types of security measures your business will have in place for the term of the DPA.

Bespoke DPAs can help keep customers happy and secure business from them in certain circumstances. If you refuse to negotiate DPAs to comfort customers on data protection law issues, they may refuse to work with your company. 

Key Takeaways

Depending on your data processing activities, you will need to consider whether you need a bespoke DPA on a case-by-case basis. A bespoke DPA may not be necessary when a supplier provides a one-to-many or standard service where the data processing activities for all clients will be the same. 

However, a DPA should be bespoke where customers have specific requirements around data processing. You can seek advice from a data protection solicitor if you need help understanding which type of DPA is fit for purpose for your customer base. 

If you need help preparing a bespoke DPA, LegalVision’s experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.