How to make a solid data processing agreement?
When you organise events, there’s a big chance that you’re working with suppliers who process data on your behalf. For example: registration partners or software and Email Service Providers (ESPs) like MailChimp. According to the new EU privacy law*, signing a data processing agreement with any supplier who processes data is mandatory as of 25 May 2018. In this agreement, you specify the type of data, the obligations and responsibilities of both you and your suppliers. In this article, we discuss the topics that should be included in the agreement.
*General Data Protection Regulation (GDPR)
The data processing agreement is not completely new
Companies that have their security policy in place, have been using a similar agreement for quite some time. Up until now, it was not mandatory to sign such an agreement with all your suppliers. As of May 2018, it will be. The topics that must be included are fixed - and if you don’t follow these guidelines, your company will risk a high fine in case of a data breach. TIP: Start preparing the agreement in time, as the process might take a while.
What’s in a data processing agreement?
The new processing agreement should contain the following topics:
Just like any other agreement, the duration and end date of the agreement should be determined. Do you use event software based on a license agreement? Make sure the terms correspond.
A clear description of why the supplier processes data on your behalf should be included. For example, for the purpose of event registration or event surveys.
- Type of (personal) data
Usually, the registration form calls for generic information such as name, company name and job title. But bear in mind that dietary requirements, passport photos, credit card and passport data are considered extraordinary personal data - and require a higher security level. Be very restrictive in asking this type of information, even though you may consider it essential for your event. Make sure you have a clear understanding on what information can and cannot be requested from your contacts.
- Processor obligations
Specify that all parties involved are operating according to the GDPR law. Any additional obligations may be included in this section.
- Data processing location
The new agreement states that all data should be stored and processed within the EU. If you’re working with suppliers from the United States, ask your Data Privacy Officer (DPO) how to approach this matter.
As principal, you are responsible for the data. However, the processor (your supplier/partner) also has responsibilities. It is very important to indicate the responsibilities of all parties involved - particularly concerning a possible data breach.
Examine the security policy of your suppliers. As you are responsible for the data, you should take sufficient measures to assess your suppliers on this matter. A professional supplier is transparent about its policy - enabling you to determine if it matches the requirements of your organisation. Include the DPO in this process and make clear agreements.
- Reporting a data breach
A new - and important - section included the GDPR law considers a data breach caused by your supplier. According to the new law, your supplier must report this to you (i.e. if it concerns your data). Your organisation is obliged to report this to the European Supervisory Authority - as you are responsible for the data. In the processing agreement, you should include guidelines on how and when this specific notification should be made.
- Involvement of sub-processors
Your supplier might involve its own external suppliers (sub-processors) in their service. Make sure you know who they are prior to starting the collaboration. This section states that your supplier cannot involve any additional sub-processors without your permission. Hence, you as principal keep a clear overview of the chain of (sub)processors, enabling you to protect the data.
- Retention period
Determine how long your data will be retained - and what happens to the data when the agreement is terminated. According to the new GDPR, every organisation must register all data processing activities. This register contains which data are processed, for what purpose and how long the data is stored. The activities of external processors should also be covered. Therefore, include the retention period of your supplier in this section.
Determine what information is considered confidential - and who has access to this information. Please note: this does not only concern personal data, but also correspondence between you and your supplier.
In order to make sure your supplier follows the privacy rules, you can ask an independent party to perform an annual check. Cooperation from the supplier’s side is mandatory, so all agreements, policies and processes can be checked. The costs of this audit are at the expense of the supplier.
Model agreement GDPR
Do you wonder what a model agreement looks like in practice? During the second half of November, our white paper on how to make your event (software) GDPR-ready will be published. Besides many practical tips & tricks, this white paper will contain a template data processing agreement for events.
As an event manager, you probably work with external suppliers that process personal information on your behalf. As of May 2018, your organisation must sign a data processing agreement with all suppliers. In case your organisation is not using such agreements already, it is wise to start making arrangements with the external processors. Start now, involve the legal department of your organisation, and be GDPR-ready in time!