When the online form of cooperation started gaining its popularity, DPA was a matter of complementary, extra activities. Now, however, it is an indispensable part of the interaction with third parties. So, how to make sure that you choose a reliable outsourcing partner who will keep your data safe? This is what we will answer in this article.

Data Processing by a Third Party: Why You Should Care

If you know the connection between secure data processing and risk elimination, go to the next section. If you are still confused with all this data protection mess, let’s dwell upon the topic and make everything clear.

Once again, data protection is now one of the top priorities when it comes to cooperation with third parties. High-level organizations and governments put efforts to ensure maximum protection for personal data. The European Union is no exception.

In 2016, the EU developed the General Protection Regulation, or GDPR. GDPR is a set of rules concerning personal data transfer and processing. The primary goal of GDPR is to set a safe environment for international cooperation and business. Two years after the creation, GDPR came into action with impressive results. In 2017, businesses employed nearly 83 000 Data Protection Officers. So far, this figure has risen by almost 700%.

Below, you can see what GDPR rights are exercised most frequently:

GDPR rights

Generally, there are three important aspects of data protection: availability, integrity, and confidentiality. Even when one of the aspects goes out of control, the rest are inevitably affected. Insecure data processing may result in data breaches, financial losses, and poor reputation. This is why you should pay close attention to the data protection guarantees you are ensured when hiring an outsourcing partner.

Now, we will look at data processing from two perspectives.

What does third-party data processing mean for a business owner?

As a business owner, you bear responsibility for choosing a reliable outsourcing partner that will keep your data safe. A third party should take data protection seriously. They have to clearly define the scope, reasons, and limits of their data processing activities. Your partner has to legally ensure non-disclosure of GDPR-related data.

You may choose between offshore, onshore, and nearshore partnership. Offshore partners are located abroad, outside your country and bordering countries. The offshore partnership is an affordable way of finding a trusted outsourcing company. If you look for a partner in Ukraine, check out the list of the best offshore software development companies here.

Onshore partners have a legal presence in the same country as your company does. Forbytes, for instance, is an onshore partner for the US and Sweden businesses. By choosing an onshore partnership, you get more confidence in data protection. Of course, provided that you know how laws work in your country.

Meantime, a nearshore partner is based in adjacent countries. The benefit of choosing a nearshore partner is the shared mentality. The latter, in turn, results in effective business communication and a clear understanding of the quality of cooperation. Wondering which nearshore partner to choose? This list may help.

When considering a particular country for outsourcing, pay attention to the ways in which personal data is protected on a legal level. Study the figures associated with a particular state. Analyze the frequency, cost, and outcomes of data breaches. It will help you find a reliable outsourcing company and feel safe about your privacy.

Below, for example, you can check the overall value of GDPR fines imposed in 2018-2020 in certain countries.

the value of GDRP fines

What does data processing mean for an outsourcing partner?

Suppose that Company A hires Company B to build a CRM system for an ecommerce project. Developing such a system presupposes that Company B will get access to clients’ personal data. In the eyes of the clients, Company A is a guarantor of their data safety. In the eyes of Company A, Company B have to guarantee this, too. Indeed, both act as data protectors. This rule is even stated in GDPR, which indicates that both parties are responsible for secure data processing.

So, what can an outsourcing partner do from their side? To ensure the security of their projects, they have to start with their own. Outsourcing companies should ensure the highest level of cybersecurity for their data. Penetration testing is a great way of checking the company’s level of protection and identifying security gaps.

Also, they have to have a clearly defined privacy policy, with a detailed description of all third-party services having access to their data. And, finally, they have to be ready to sign a Data Processing Agreement (DPA) with their clients. Why do clients need DPA? Let’s check it out in the next section.

DPA as a Way to Keep Your Data Safe

What is DPA? DPA stands for Data Processing Agreement. DPA helps companies make sure that all data-processing activities comply with GDPR policy. By signing a DPA, both parties protect project data and get the strategy for data breach prevention and elimination.

Such an agreement is not attached to a specific form: it can be either written or electronic, either a part of the general contract or a separate document. Everything depends on the practices both parties are eager to use. The form of DPA does not affect its power. But its contents do.

How DPA should look like?

There are 5 basic elements that are usually included in DPA. They may be complemented by additional ones, depending on the parties’ concerns, requirements, and goals. Before signing a DPA with an outsourcing company, make sure that the agreement includes the following:

1. General clauses

  • A data controller is a company or person who entrusts their data to a third party.
  • A data processor is a company or person who processes the data on behalf of the data controller.

Also, the first part describes the following: 

  • All types of data that will be accessed by a third party.
  • The subjects of data.

The latter may include various categories of people or companies whose data will be processed. For example, these may be your clients or partners.

General clauses should include the description of:

  • Data processing goals.
  • Scope of data.
  • Data processing software.
  • Data processing duration.
  • Data storage description.

And what about DPA duration? Outline the following:

  • The duration of the agreement.
  • The conditions of agreement termination.

Do not forget to mention that data processor is obliged to remove your data from their storage once DPA is terminated.

2. Rights and responsibilities of stakeholders

This element consists of:

  • The rights and responsibilities of a data controller.

Here, your rights and responsibilities as a data controller will be described. Why are we talking about duties? Since DPA states that you have to observe the rights of data subjects and provide a data processor with clear instructions for data processing.

  • The rights and responsibilities of a data processor.

This part of the document describes the rights and responsibilities of data processors. Their main duty is to ensure data security and eliminate the risks of a data breach. In case the breach occurs, a data processor has to provide you with an effective response. Data processing companies are also obliged to comply with data subjects’ rights.

A data processor has to keep a record of their data-related activity and allow you to conduct an audit of DPA compliance. They are not allowed to involve any third party in data processing without your consent.

3. Procedure and process description

The third part is devoted to measures taken by all parties to ensure data protection and secure data processing in outsourcing. It is preferable to mention both of the following:

  • Organizational aspect of data protection and agreement compliance.
  • Technical side of the same aspect.

4. Final clauses

Here, companies usually mention:

  • The conditions under which the agreement can/cannot be changed.
  • The DPA superiority over other documents.

5. Annexes

Annexes include any supplementary documentation that is essential for the execution of DPA. For example:

  • Tables with step-by-step process descriptions.
  • Audit results.
  • Lists of GDPR areas that are of particular importance.

That’s it. Of course, there are a lot of DPA templates available online. Yet, while opting for such a template, make sure that all essential elements are included in the document. It will help you prevent confusion and eliminate risks. Remember: spending some time on the customization of a template is safer than neglecting important aspects of the agreement.

DPA components


Checklist for Choosing a Secure Data Processor

You already know how a good DPA may look like. But before signing the agreement, make sure that your software development partner is reliable. Our quick checklist may help you identify weak spots of your data processor and include these points in the DPA agreement. Here are the questions to ask:

DPA checklist

1. Does a company have a registered office in the European Union?

Choose an outsourcing partner that has a presence in the European Union. It will add more certainty about the security of the services your partner provides. Also, it will help you make sure that GDPR compliance and data privacy exist not only on paper but also in action.

2. Is a company GDPR-compliant?

Check the privacy and data protection policy of your partner. Deeply analyze the third parties that have access to the company’s data. In case you have some doubts, discuss the issues in advance. Sometimes, it is even better to outline controversial points in the agreement or contract.

3. What strategy for information security does it have?

Ask your potential partner about the ways of ensuring information security. Do they have a security strategy? Ask them who is responsible for securing data in their company. You should see the readiness of your partner to answer security-related questions.

4. What are the methods of storing data?

It is nearly impossible to ensure the safety of client data if a company fails to ensure the safety of their own data. Ask your partner where their data is stored. Do they use an on-premise type of storage or a cloud-based solution? If they use the latter, how reliable their cloud provider is?

5. Is data protected on the technical level?

Ask the outsourcing company about the technical side of data protection. What type of hardware do they use? How do they ensure secure authorization? A reliable partner keeps a record of authorized devices and controls the inventory.

6. How does a company prevent software vulnerabilities?

When developing a software product, a professional software development team sticks to the full-cycle method. That is, apart from building the very product, a company also provides support and maintenance. So how does your partner ensure the security of the products they make? Do they have some response strategy in case of a data breach?

7. What strategy for infrastructure protection does it pursue?

The final question will help you understand how the company deals with data breach prevention. How does your potential partner back up their data? How do they protect their devices from malicious attacks?

Final Thought

This article comprises everything you should know about Data Processing Agreement (DPA). Your data safety is of the utmost importance both for you and your clients. You should be aware of the adverse outcomes of data breaches and put maximum effort to prevent such situations from happening. A great way to reduce risks is to hire a trustworthy partner. We hope that the given info will help you choose a reliable software development company providing high-quality services.