It’s easy to think that the ship has sailed. You’ve signed an MSA or sales agreement, you’ve begun doing business, and the contract feels very much in the rear-view mirror. You realize, however, that your data terms are dated. GDPR and the CCPA aren’t covered in sufficient detail. Personal data and storage specifications don’t cover the current business reality. The breach response action plan is woefully insufficient.
Fear not. There is still time to add a data processing addendum (DPA) to your cross-border contract. Here are a few pointers on what you can do:
- Reach out to your counterparty. Negotiations can often be adversarial, especially when lawyers get involved. That’s not necessarily the case here. You can frame the need for an addendum in collaborative terms, mentioning the need for contingency planning and compliance with the many laws governing data protection.
- Sign an addendum. This is standard stuff. You can draft an addendum that references the existing agreement. Some things to cover:
- Conflicts. The addendum should mention what is being updated and replaced. If there are any conflicts between the addendum and the original agreement, the addendum should control with respect to its subject matter (not the entire contract).
- Consideration. You should at least mention consideration. In some jurisdictions (e.g., U.S. common-law states), consideration is needed for amendments to be enforceable. This can be nominal but should be explicit.
- Cover Contingencies. To avoid repeating the scenario you find yourself in, the addendum should be future-proofed. Personal data specifications should be made as broad as defensible. In explaining the basis for personal data processing, you should mirror GDPR Article 6(1) and cover the legitimate interest in processing the data. (GDPR 6(1)(f)).
- Address Data Breach Responses. If your existing data protection clause is in the body of your framework contract, chances are that the breach response language is inadequate. This is where the addendum comes in. The data breach response clause should cover who reports breaches to authorities in which jurisdictions, who notifies users, and what information needs to be shared with the other party. This clause should also reference a time period, such as the 72-hour regulatory notice mandated by GDPR Article 33.
- Plan for Cross-Border Contingencies. It goes without saying that different jurisdictions have different laws. GDPR applies in the EU, which itself has 27 member states. The U.S. doesn’t have a comprehensive data law, but has 50 states and 6 territories, each of which has its own rules governing breach notifications. Other jurisdictions have their own comprehensive data laws (e.g., Brazil’s LGPD; China’s PIPL). This means that data compliance should involve extensive scenario planning. At a minimum, you should:
- Cover Cross-Border Transfers. The EU mandates use of standard contractual clauses for cross-border data transfers. You should be certain that your addendum contains such clauses. Even if your business doesn’t touch on the EU, similar language is a smart idea.
- Specify Data Storage Location. Given the EU mandate and concerns about unauthorized access, it is worth specifying where the data will be stored. There has been considerable back-and-forth between the U.S. and E.U. over whether U.S. personal data protections are adequate, something we covered in a previous blog post. Knowing your risk points and specifying them in a contract makes response to changes in law much more straightforward.
- Know Your Obligations. Given the plethora of jurisdictions, you need to know—and address—how you and your counterparty will respond in the event of a data breach. Depending on the scenario, you may be obligated to notify the user, notify local authorities, or both. Thinking through these contingencies and addressing them as needed in your addendum allows you to better address a breach when it comes.
While the ship may have sailed on your initial contract, think of a data protection addendum as your life boat. By addressing how and where data gets processed, you are able to survive the stormy waters of data breach risk. This lifeboat also allows you to fend off the risk of fines and penalties. A data processing addendum is well worth the time.
Disclaimer: This blog is for informational purposes only and does not constitute legal advice. Reading or interacting with this content does not create an attorney–client relationship. You should consult a qualified attorney for advice regarding your specific situation. Mehaffy, PLLC disclaims all liability for actions taken or not taken based on this blog.