How to meet Data Protection Addendum Criteria, 100% of the time.

A common ask from my SaaS clients is to look over a Data Protection Addendum (DPA) to see if their system meets the DPA’s criteria out of the box. 100% of the time, it doesn’t. Company DPAs are meant to be overprotective, it’s on the attorney and company working together to make the contract reflect reality.

Here are 5 of my most common changes to big company DPAs

Consent for Collection

Make sure your data provider reps and warrants that it has the right to give you the data AND that the consumers or data subjects have been properly notified.

Data Minimization

Before receiving data, always question its necessity. You don’t want HIPAA-regulated data or sensitive private information unless it’s absolutely necessary. Make sure it’s clear what you will and won’t process.

De-Identification 

When processing data at scale, consider requesting de-identified (including differentially private) and hashed personal information from the provider; it reduces your liability in the event of a breach and, when done properly and documented on the back end, reduces your compliance workload.

Third-Party Access

I get it- as a small business, you’re often relying on third party service providers to host or provide key aspects of your processing. Make sure your DPA allows for processing by those third parties.

Data Breach Liability

Big company DPAs put all the cost and responsibility of a data breach on you by default, even if it isn’t your fault. Limit your liability to your statutory responsibilities under data privacy law. 

Need assistance with this?

Email Thomas Codevilla at: codevilla@skandslegal.com for help ensuring your system meets DPA criteria.