PRIV- 25 – Data Protection Agreements

What is this control about?

Implementing the control ‘Data Protection Agreements’ is crucial for ensuring the proper protection of sensitive data and maintaining compliance with data protection regulations and privacy laws. Data Protection Agreements, also known as Data Processing Agreements or Data Privacy Agreements, are contractual agreements between data controllers and data processors that govern the processing and protection of personal data.

Available tools in the marketplace

Tools:

Evisort Agiloft ContractWorks

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – No recommendations

Control implementation

Here are some guidelines to implement a Data Protection Agreement:

• Identify Data Processors: Work with the organization’s data protection and legal teams to identify all third-party data processors that handle personal data on behalf of the organization. This may include cloud service providers, marketing agencies, payroll processors, etc.
• Review Existing Agreements: Evaluate the existing agreements with data processors to ensure they include appropriate data protection clauses and comply with relevant data protection regulations, such as GDPR or CCPA. Ensure that the agreements clearly outline the roles and responsibilities of each party regarding data protection.
• Update Agreements: Collaborate with the legal team and data processors to update the agreements if necessary to address any deficiencies or changes in data processing practices. Include clauses related to data security, data breach notification, data retention, and other relevant aspects.
• Standardize Agreements: Work towards standardizing the Data Protection Agreements across all data processors. Establish a template that can be used consistently, making it easier to manage and monitor the agreements.
• Centralize Agreement Repository: Create a centralized repository or database to store all Data Protection Agreements. This repository should be accessible to authorized personnel and include essential information about each agreement, such as the data processor’s contact details, agreement expiration dates, and compliance status.
• Tracking and Renewal Process: Implement a tracking and renewal process to ensure that Data Protection Agreements are up to date and in compliance. Set up reminders for agreement renewal and conduct periodic reviews to assess the effectiveness of the agreements.
• Communication and Training: Conduct training sessions for relevant employees and stakeholders involved in data processing activities. Ensure they understand the importance of Data Protection Agreements and their responsibilities in adhering to them.
• Monitoring and Compliance Audits: Regularly monitor the organization’s compliance with the Data Protection Agreements. Conduct internal audits or engage third-party auditors to assess the effectiveness of the control and identify areas for improvement.
• Continuous Improvement: Continuously evaluate and enhance the Data Protection Agreements control based on feedback, changes in regulations, and emerging best practices. Stay informed about any updates or changes to data protection laws that may affect the agreements.
• Documentation: Maintain thorough documentation of all activities related to the implementation and management of Data Protection Agreements. This documentation should include meeting minutes, audit reports, training records, and any other relevant evidence.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• An example of a  Data Protection Agreements

Evidence example

For the suggested action, an example is provided below:

• An example of a  Data Protection Agreements

Screenshot source