Signing the DPA: Why IT Outsourcers Need to Comply With the Data Protection Regulation

In May 2018, the European Privacy Data Security Act came into force. It consists of hundreds of paragraphs that include requirements for all EU member states as well as their partners outside of this international entity.

The law has two main concepts: the General Data Protection Regulation (GDPR) and the Data Processing Agreement (DPA). Information security issues for IT outsourcing service providers are more relevant today than ever before.

GDPR and DPA: Understanding the Essence of Concepts

The GDPR is a data privacy and security law adopted in the European Union. It imposes a list of obligations on all states that do business with EU countries. Non-compliance with the law can result in heavy fines, which can be as high as several million euros. 

According to the GDPR, there are such subjects of work with information:

- Data subject: a person concerned by this information;

- Controller: a person/group of people who determine the purposes for which the information is used and how it is processed;

- Operator: a person/group of people who process the information received in accordance with the assigned tasks.

In terms of the activities of outsourcing companies, this list will look like this:

- Controller: software client company;

- Operator: outsourcing service provider;

- Data subject: target audience (for which the app is created) and data (used for correct operation).

For example: The owners of a private clinic from an EU country approached an IT outsourcing service provider from Ukraine to develop an EHR (Electronic Health Record). This type of software is a virtual version of a clinic's patient history and has strictly confidential information. In this case, the EU clinic will act as the controller, IT outsourcers from Ukraine will act as the operator, and the clinic's patients will be the data subjects.

One of the conditions for legitimate business with the European Union is compliance with data protection regulations. This can be achieved by signing a DPA or Data Processing Agreement before starting cooperation. This document is signed between the controller and the operator and regulates their relationship concerning the transfer of sensitive data.

Signing the DPA is necessary even if the specifics of the contract do not require the storage of confidential data by the operator.

What Does a Data Processing Agreement Consist Of?

A standard document should include paragraphs that fully define the degree of responsibility of each party:

- categories of data to be transmitted;

- purpose of the information transfer;

- duration of its processing;

- definition of subjects of work with confidential data;

- the rights and obligations of the parties (controller and operator);

- the obligations of the operator to process data only in accordance with this document;

- the necessary security measures when handling the transferred data;

- assurance that the operator will provide the controller with all necessary reports to monitor compliance with the DPA;

- terms of storage of personal data, if necessary;

- the possibility of termination of the contract.

The content of the document may expand but definitely not exclude the above sections.

Collaboration With DPA Signing in Practice

After signing the Data Processing Agreement, the work of the customer and the outsourcing service provider will be structured as follows:

- the customer (controller) issues the contractor (operator) with technical requirements for the project;

- the outsourcer follows all confidential data security measures stipulated by the DPA;

- at the request of the controller, the operator may undergo some kind of certification or create internal rules for data processing.

Please note: There is no special certification based on the Data Privacy and Security Act yet, so such a request from the controller is unlikely.

Important Points When Signing a DPA

In order for cooperation to be mutually beneficial, the customer and the outsourcer must remember certain conditions that must be observed:

1. It is important to remember that both the operator and the controller are responsible for the security of confidential data. Therefore, when signing the Agreement, it is essential to ensure that all security measures are observed during the transfer of information. If the processor's bandwidth is not capable of providing an adequate level of data protection, both parties may suffer.

2. The controller must verify the validity of the operator's use of the data in accordance with the purposes spelled out in the DPA.

3. DPA should be written simply and clearly, so there is not the slightest possibility of misinterpretation of its essence.

4. The IT outsourcing provider should have an Agreement template that makes verifying GDPR compliance easy and brings the beginning of cooperation closer.

The problem of protecting confidential information is acute for all modern companies. That is why every self-respecting organization must do everything possible to ensure that cooperation is safe and reliable.