Managing GDPR vendor Data Processing Addendums

The hype around GDPR compliance may have died down, but that doesn’t mean that your obligations have. Learn how to stay on top of managing vendor Data Processing Addendums.

Leading up to the May 25, 2018 deadline, you couldn’t turn a corner without bumping into another article, blog post, or water cooler discussion about the EU General Data Protection Regulation (GDPR). Everyone rushed to comply with this new regulation, but GDPR compliance isn’t “set it and forget it”—it involves ongoing deliverables that organizations need to stay on top of.

What Are Data Processing Addendums?

One of these deliverables is the establishment of Data Processing Addendums (DPAs) with all vendors that store and process personal information.

Personal data is information related to a person (or “data subject”) that can be used to identify them. According to GDPR compliance, personal data includes many data points like:

  • Names
  • Email addresses
  • IP addresses
  • Photos
  • Medical information.

It’s your responsibility to establish a DPA with every relevant vendor to make sure they meet their obligations. Think of it as a fail-safe way of making sure everyone does what they need to, when they have to do it.

What are GDPR "controllers" and "processors"?

Article 4 of the EU GDPR defines them as:

  • Controller: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • Processor: “A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.”

"Because assessing vendors is an ongoing requirement, we decided to use our HighBond platform to execute a standard process for DPA due diligence."

The Data Processing Addendum process

You establish a DPA when you onboard a new vendor (e.g., during preliminary due diligence). The process involves the following four steps:

  1. Confirm whether the vendor is in scope of GDPR for your company. Will this company be touching the personal data of your employees or customers?
  2. Obtain their DPA template. GDPR doesn’t enforce a standard DPA format, so there’s a lot of variability. (Just Google “DPA example” and you’ll see!)
  3. Have the DPA reviewed by your legal counsel.
  4. Sign the DPA and save it into your DPA archive system.

How HighBond helps with Data Processing Addendums

Because assessing vendors is an ongoing requirement, we decided to use our HighBond platform. We executed a standard process for DPA due diligence. We discovered many benefits from using our own software.

Automated workflows

Entering a within-scope vendor automatically initiates a workflow. This is helpful for large organizations that require multiple departments to be involved in vendor onboarding.

Does the vendor fall within the scope of GDPR? If yes, initiate the workflow.

Easy-to-follow steps

The next step is to define what we’re monitoring, actions to be performed, and when they should be triggered.

In the image below, the vendor status is under review. This is because a DPA review needs to be completed by our legal department once we receive the vendor’s DPA template.

It’s easy to identify the status of each vendor within the onboarding process.

One central place to store and access files

When multiple teams are involved in a documentation process, they often save a copy of their documentation as they complete it. This could be on their desktops, in shared drives, or in project management tools like Confluence. These folks may also request a copy of the final version for their files.

But we all know the chaos and confusion that results from multiple document versions! IT, legal, and InfoSec now have several signed and unsigned copies of the DPAs for each vendor. In HighBond, we save the final file at the end of the workflow. Everyone can easily access the actual final, signed version. It’s a one-stop-shop for all our DPAs.

A single, easy to access place to store your signed DPAs.

Clear visibility with storyboards

HighBond also has self-serve dashboards for different teams, management, and operations. We integrate information from all of our processes, and use these dashboards to provide our teams with visibility into the DPA progress. And we can help easily spot where things get hung up, and mitigate those issues.

Self-serve dashboards for different teams, management, and operations means you’re not spending time running individual reports.

Auditable trail of who did what

All of the data and metadata is stored in HighBond. So, at anytime (and for any record), we can look back and see who added what, and when. This helps us build a defensible position and show due diligence.

Ready to get started?

Managing your data processing addendums doesn’t have to be a pain. With the right compliance technology solution in place, you’ll easily meet your regulatory obligations and avoid big fines.


Better practices for compliance management

You’ll learn:

  • What a high-performance compliance management process looks like
  • How to transform your compliance management program
  • The key technology considerations for achieving a high-performance compliance program.

Download eBook