In spring 2018, the European Union enforced a regulation that affected virtually every business dealing with the personal data of EU citizens ‒ the General Data Protection Regulation (GDPR). Under this legislation, every country-member of EU, as well any other country processing personal data of EU citizens must take serious measures to ensure its protection. A major component of GDPR compliance is signing a data processing agreement (DPA) between data controllers and data processors. What does it mean and how it applies in software development outsourcing? That’s what we’re going to talk about in this post.
Table of Contents
According to the European data protection law, personal data of EU citizens can be processed by another party outside of the European Union provided that they sign a legal agreement that regulates this processing. That’s what they call DPA ‒ Data Processing Agreement.
A data processing agreement (DPA) is a legal document signed by the controller and the processor either in written or in electronic form, the purpose of which is to regulate the terms and conditions of EU citizens’ personal data processing. Personal data means any information, with the help of which it’s possible to identify a person, i.e. first name and last name, date of birth, place of residence.
The aspects the DPA covers include:
The data controller is the person or company that determines the conditions for data processing. In software development, it’s a client. A data processor is a person or company that processes data on behalf of a controller, in accordance with the controller’s instructions. In outsourcing, it’s a contractor.
Now, let’s take a closer look at how it works in Ukraine. Although we don’t belong to the European Union, all the regulations and directives of GDPR become applicable to our companies as soon as we come in contact with EU citizens’ data. It’s super common for IT outsourcing. Here’s an example.
Supposing, an IT outsourcing company X gets an assignment from an EU customer to develop some data management app for a healthcare facility. Clearly, they need access to patients’ personal (and sometimes sensitive) information. Even if they aren’t going to store it on any device, it still falls under the “personal data processing” category.
According to the GDPR, the organization that defines the purpose of data processing (i.e. the controller) has more legal obligations, but how the EU customer and the outsourcing company are going to protect this data becomes the responsibility of both parties ‒ the EU company that needs to get the app done and the outsourcing company that requires data to finish the project.
It’s likely that your customer, who is also a data controller, will just tell you what to do. Also, you as a data processor would have to take all the organization’s measures and follow technical requirements spelled out in the DPA. In some cases, controllers might require a processor to pass some certification or develop corporate rules to be approved by EU regulatory agencies. However, there’s a very slim chance it’s going to happen because there is no standard GDPR-based certification yet, and all the available options are too complicated.
If a data controller wants to outsource some data processing activities to an overseas contractor, they have to prove that their non-EU based partner is GDPR-compliant and can guarantee sufficient levels of data protection. That’s why signing a data processing agreement (DPA) is crucial, especially in software development outsourcing.
Regardless of the purpose of a software product, an outsourcing company develops code, through which they process data of their clients’ customers. Also, even if they aren’t storing any data, they have access to a database. That creates a need to agree on terms of how this data is protected, processed, stored and used. So, yeah, DPA is basically the outline of the conditions of the cooperation.
When it comes to signing a DPA, there are a couple of things to be mindful of, such as:
According to the GDPR, a controller may be held responsible for data breach even if it happened on the side of the processor. Therefore, it’s in the best interest of both parties to make sure that the processor has the bandwidth to provide decent protection to all the data transferred to them from the controller. The smaller the risks, the better. However, in case the breach takes place, the data processor should be able to take immediate measures to minimize its effect.
The data controller has to ensure that the range of the processor’s DPA doesn’t exceed the original legal basis for data processing. In other words, the outsourcing company should only be able to use data for purposes spelled out in the agreement. It’s the controller’s responsibility to check how the processor will use the data they transfer to them.
… because there shouldn’t be any. The text of a DPA should be straightforward and specific. For example, if the controller is going to audit the processor, all the details of the procedure must be specified. This will help to make sure that the processor and contractor are very clear with the expectations and that there are no weak spots in the agreement.
Although GDPR has been around for a while, very few software development vendors have a DPA template. Those that don’t have it are technically not GDPR compliant. Also, the lack of a DPA template significantly slows down the cooperation process because it forces the client to worry about the legal issues more than about the actual software development.
Here at Relevant Software, we respect the time of our clients. That’s why we’ve developed a legal DPA template specifically for software development services. When starting a collaboration, a client should just fill in the details and we’re all set.