GDPR – Data Processing Agreements.


The initial rush and urgency for organisations to be GDPR compliant by 25th May 2018 appears to have given way to an apparent calm. Whilst calm is a desirable state, it’s important to maintain our awareness that GDPR is a work in progress and should be part of a continuous improvement drive around the control of data.
Some of Redwood’s customers have not yet received Data Processing Agreements (DPA) from their own clients and the previous drive to get these in place may have lost some momentum. It is as much the responsibility of the Data Processor to have a DPA in place as it is the Controller, and if processing personal data on behalf of another organisation, a written instruction to process legally will be required.
We therefore encourage companies to follow-up with their clients and pursue Data Processing Agreements where they are required. From our experience, there can be confusion as to who is who when it comes to Controller and Processor relationships and in some cases, this is the hurdle that needs to be overcome before a DPA is issued and the terms agreed.
The Information Commissioners Office (ICO) has produced some good material giving clarity in this area and the following links might be useful in determining the requirements of a DPA and who is who.
Contracts and liabilities between Controllers and Processors
Key Definitions – Controllers and Processors
Feel free to contact us for more information or to discuss specific GDPR requirements.