Map data usage and determine risks Before you create a DPA, you need to be clear about what category of personal data it is specifically. The GDPR categorizes personal data into categories or regular data and special categories. Regular personal data includes information such as names and dates of birth, and special category data includes sensitive information such as financial and biometric data. Your organization needs to be clear about which category of personal data the data protection authority will refer to, as data in the special category requires a higher level of data protection measures. Your subcontractors must also understand the sensitivity of the data they process on your behalf and align their security measures appropriately. Given the complexity of the task, it is advisable to have a data processing agreement as a separate document. That contractual period should make it clear that the controller, and not the processor, has overall control over what happens to the personal data. What should my company do to ensure compliance? First, identify every relationship your company has with suppliers, customers, subcontractors, contractors, agents, resellers, distributors, etc., where you share personal information with them or disclose personal information. Second, for each of these relationships, identify whether you are the data controller or the data processor. It`s likely that, depending on the answer, you`ll want to accept a slightly different data clause – as a data controller, you`ll inevitably want to deal with as much of the load on the data processor as possible, but as a data processor, you want the data controller to be fully responsible for compliance with the law. Finally, determine if there is a written contract between the two parties. If there is an existing contract, you will have to agree to a modification of this contract (which, in principle, should not be a problem because the other party should also be interested in amending this contract to comply with the GDPR).
If you do not have an existing contract, you must enter into a written agreement to ensure that the agreement contains the required data clause. Depending on the schedule, you may be able to use the “model clauses” published by the European Commission or the UK government. Any contract you enter into that involves a flow of personal data must include an appropriate data clause that complies with the GDPR. .