An Introduction to Data Processing Compliance

When do you need a DPA?

The first important thing to know is that there’s a degree of subjectiveness about the rules that can cause some confusion and complications.

The basic rule is you need DPAs when you’re planning to get another organisation to do some work on some personal data and they are acting as a processor.

The receiving party act as a processor when they are doing what you tell them and are processing the data how you tell them to – by providing a service, for example.

That’s not always clear cut. If you use a telemarketing agency for example are they a processor or a controller if you’re giving them data to call? A telemarketing organisation will be following their own processes when they contact your data.

If the receiving party decides how to use the data then they may well be a controller, in which case you don’t need a DPA.

In this instance we would recommend you put a controller-to-controller agreement in place, but this is not mandatory whereas a DPA is.

The subjective nature of this somewhat underlines the point of the GDPR – as a controller you need to always consider what you’re doing with your data and act accordingly. The GDPR is not just a blanket set of rules to follow.

When do these agreements take effect?

All DPA and controller-to-controller agreements only take effect if personal data is involved.

If you cannot identify a contact from the data transferred then data protection rules do not apply.

Your company confidentiality rules still may apply though, depending on the data.

Because of the lack of clarity that sometimes comes into play when you’re identifying whether a relationship is controller-controller or controller-processor, and therefore what agreements you may or may not need, it can be easy to make mistakes or not pay enough attention to what you need to do.

Ignoring the data protection laws can lead to serious compliance issues and worse.

On the opposite side of the coin, you don’t want to overcomplicate things for the sake of it.

A new solution

Why create significant overheads by creating unnecessary agreements or open yourself up to compliance issues by not quite getting things right?

There’s a new tool on the market that can take all the complexity away.

ClearCrypt enables organisations to exchange personal data quickly and securely in a fully compliant manner without you needing to put any agreements in place.

You can use ClearCrypt to:

·        Compare: encrypted comparison of data between two organisations in a secure environment, maintaining compliance with data protection regulations and privacy and security policies

·        Exclude: find out what data your customer already has and exclude it without the need for time-consuming paperwork and the setup of data processing agreements

·        Suppress: securely provide your data suppression list to a third party with the knowledge and assurance that they can only view data already in their possession

·        Target: quickly discover the overlap in data between you and your partner/channel network with complete confidentiality

Data providers and brokers, marketing agencies and technology companies all use ClearCrypt to compare two sets of data to see which contacts they have in common. ClearCrypt enables them to do this without swapping personal details which therefore prevents the need for data processing agreements.

Find out more about how ClearCrypt could help your business, your partners and customers today, here.