The hype around GDPR compliance may have died down, but that doesn’t mean that your obligations have. Learn how to stay on top of managing vendor Data Processing Addendums.
Leading up to the May 25, 2018 deadline, you couldn’t turn a corner without bumping into another article, blog post, or water cooler discussion about the EU General Data Protection Regulation (GDPR). Everyone rushed to comply with this new regulation, but GDPR compliance isn’t “set it and forget it”—it involves ongoing deliverables that organizations need to stay on top of.
What Are Data Processing Addendums?
One of these deliverables is the establishment of Data Processing Addendums (DPAs) with all vendors that store and process personal information.
Personal data is information related to a person (or “data subject”) that can be used to identify them. According to GDPR compliance, personal data includes many data points like:
- Email addresses
- IP addresses
- Medical information.
It’s your responsibility to establish a DPA with every relevant vendor to make sure they meet their obligations. Think of it as a fail-safe way of making sure everyone does what they need to, when they have to do it.
What are GDPR “controllers” and “processors”?
Article 4 of the EU GDPR defines them as:
- Controller: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- Processor: “A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.”
“Since assessing vendors is an ongoing requirement, we decided to use our HighBond platform to execute a standard process for DPA due diligence.”
The Data Processing Addendum process
You establish a DPA when you onboard a new vendor (e.g., during preliminary due diligence). The process involves the following four steps:
- Confirm whether the vendor is in scope of GDPR for your company. Will this company be touching the personal data of your employees or customers?
- Obtain their DPA template. GDPR doesn’t enforce a standard DPA format, so there’s a lot of variability. (Just Google “DPA example” and you’ll see!)
- Have the DPA reviewed by your legal counsel.
- Sign the DPA and save it into your DPA archive system.
How HighBond helps with Data Processing Addendums
Since assessing vendors is an ongoing requirement, we decided to use our HighBond platform. We executed a standard process for DPA due diligence. We discovered many benefits from using our own software.
When we enter (or onboard) a within-scope vendor, a workflow is automatically initiated. This is helpful for large organizations that require multiple departments to be involved in vendor onboarding.
The next step is to define what we’re monitoring, actions to be performed, and when they should be triggered.
In the image below, the vendor status is under review. This is because a DPA review needs to be completed by our legal department once we receive the vendor’s DPA template.
One central place to store and access files
When multiple teams are involved in a documentation process, they often save a copy of their documentation as they complete it. This could be on their desktops, in shared drives, or in project management tools like Confluence. These folks may also request a copy of the final version for their files.
But we all know the chaos and confusion that results from multiple document versions! IT, legal, and InfoSec now have several signed and unsigned copies of the DPAs for each vendor. In HighBond, we save the final file at the end of the workflow. Everyone can easily access the actual final, signed version. It’s a one-stop-shop for all our DPAs.
Clear visibility with storyboards
HighBond also has self-serve dashboards for different teams, management, and operations. By integrating information from all of our processes, these dashboards provide our teams with visibility into the DPA progress, and we can help easily spot where things get hung up, and mitigate those issues.
Auditable trail of who did what
All of the data and metadata is stored in HighBond. So, at anytime (and for any record), we can look back and see who added what, and when. This helps us build a defensible position and show due diligence.
Ready to get started?
Managing your data processing addendums doesn’t have to be a pain. With the right compliance technology solution in place, you’ll easily meet your regulatory obligations and avoid big fines.