The GDPR's weighing on much more than data mapping and consent tracking for organizations. For many enterprises and organizations of smaller sizes, Data Processing Agreements become a massive hurdle to achieving full GDPR compliance. We've found that the unique nature of the GDPR-mandated agreements and the volume and velocity at which they must be executed presents a painful, top-of-mind problem for most in-house legal teams. The problem isn't adequately solved by traditional solutions.
How do we create, track, manage, negotiate, sign, and route these agreements — but with speed, with limited resources, and at massive scale?
Whether you're looking at processing tens, hundreds, or thousands of agreements, in this webinar I—Kyle Robbins, Legal Operations Consultant at PactSafe—took a look at how to build a scalable DPA execution and tracking process that won't tax your team for resources and overwhelm your support staff.
In this webinar, we outlined the following:
How to Assess Your Existing Tools and Process
If you’re unclear as to whether your existing processes will be affected by GDPR, ask the following questions:
- Does your organization have establishment(s) or operation(s) or employee(s) in any of the EU/EEA countries?
- Does your organization offer goods and/or services to EU/EEA residents and process their personal data in connection with the transaction, with or without purchase?
- Is your organization monitoring people's behavior or is your processing activity related to behavior that is taking place in the EU/EEA?
If the answer is “yes” to any of these, then you must implement the necessary changes to meet compliance. Subscribe to our GDPR resource hub to receive updates and tips on how to become compliant.
What Your Organization’s DPA Should Contain
PactSafe does not provide legal advice, but here are a few informational tips we included in the webinar to help you get started:
- The subject-matter and duration of the processing of personal data;
- The nature and purpose of the processing;
- The obligations of security, warning and alert towards the controller.
- Also note who needs to sign—vendors, partners, your customers.
A great starting resource for drafting is the IAPP & DLA Piper Sample Addendum.
Why You Should be Viewing Your DPA as a High Velocity Contract
A DPA is a great example of a high velocity contract—something crucial to the business which success and value relies on efficiency. These types of contracts, in an ideal world, should never redlined—they should never escalate within the organization and be low-touch or no-touch workflows. A high velocity contract should have minimal edits, redlines, escalations, and zero data triage. Examples include:
- SMB-sized sales agreements and MSAs
- Partnership and channel agreements
- Evaluation forms
These types of contracts are currently a massive cost inefficiency at several organizations. On a fairly conservative average, it costs an enterprise organization around $102.00 per document that should have been high-velocity—but wasn’t. Due to the length, breadth, and novelty, this amount can be safely doubled for DPAs.
So, what should you do?
Think of this as your test case to get your high-velocity contracts right. 83% of in-house personnel involved in contracting processes are already taxed to capacity or are operating at over efficient capacity. If your DPA problem has substantial volume, this becomes you.
Ensure that you’re using a platform built for high-velocity contracts like DPAs. This solution should provide automated, digital execution that eliminates redlining and easily connect to the type of contracts you send across various platforms.