Roland Flutet

Senior Manager, IT, ACL


The hype around GDPR compliance may have died-down, but that doesn’t mean that your obligations have.

Leading up to the May 25, 2018 deadline, you couldn’t turn a corner without bumping into another article, blog post, or water cooler discussion about the EU General Data Protection Regulation (GDPR). It seemed like everyone was a buzz, all rushing to ensure compliance with this new regulation.

But GDPR compliance isn’t “set it and forget it”—it has a long list of ongoing deliverables that organizations need to stay on top of.

Data Processing Addendum (DPA)

One of these ongoing deliverables includes the establishment of Data Processing Addendums (DPAs) with all vendors. These addendums need to be set up for any vendor—like payroll or CRM—that store and process the personal information of employees or customers.

Personal data is any information related to a natural person or “Data Subject” that can be used to identify somebody. According to GDPR compliance, personal data includes:

  • names
  • email addresses
  • IP addresses
  • photos
  • medical information
  • and many other data points.

And whether you’re a controller of that data, a processor, or a sub-processor—it’s your responsibility to establish a DPA with every relevant vendor to ensure they meet their obligations. Think of as a fail-safe way to make sure everyone does what they need to do, when they need to do it (like sending out timely notifications of a data breach or swapping of a sub-processor).

What is a GDPR “Controller” and “Processor”?

As per Article 4 of the EU GDPR:

  • Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • Processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

Controller, processor, or sub-processor—everyone has responsibilities when handling personal data.

The DPA process

The process to establish a DPA is initiated when a new vendor is onboarded (e.g. during preliminary due diligence) and consists of the following four steps:

  1. Confirm whether the vendor is in scope of GDPR for your company. In other words, will this company be touching the personal data of your employees or customers?
  2. Obtain their DPA template. GDPR doesn’t enforce a standard DPA format, so there’s a lot of variability between companies. (Just Google “DPA example” and you’ll see!)
  3. Have the DPA reviewed by your legal counsel (which is required because you may need to add provisions to meet your own standard of compliance).
  4. Sign the DPA and save it into your DPA archive system.

And you’re done! At least for that vendor…

How ACL can help with GDPR DPAs

Since GDPR and assessing vendors is an ongoing requirement, even for us here at ACL, we decided use ACL GRC to execute a standard DPA due diligence process. We discovered a lot of benefits from using our own software to execute this process.

Automated workflows

In the ACL Platform, when we enter (or onboard) a new vendor, a workflow is automatically initiated if we indicate that the vendor is within the scope of GDPR. This is helpful for large or complex organizations that require multiple departments to be involved in vendor-onboarding—especially because no additional licenses are needed to include any number of employees in a workflow.

Does the vendor fall within the scope of GDPR? If yes, initiate the workflow.

Easy-to-follow steps

Once we’ve identified that a vendor is within scope and outlined why, the next step would be to define what we’re monitoring, which actions should be performed, and when those actions should be triggered.

In the image below, the vendor status is currently under review, because a DPA review needs to be completed by our legal department once we receive the vendor’s DPA template.

It’s easy to identify the status of each vendor within the onboarding process.

One central place to store and access files

When multiple teams are involved in a documentation process, they often save a copy of their documentation as they complete their work—sometimes to their desktop, to shared drives, or maybe within project management tools like Confluence, Asana, or Jira. These folks may also request a copy of the final version for their files.

But we all know what happens when we have multiple versions of the same document floating around: chaos and confusion. IT, legal, and InfoSec now have several signed and unsigned copies of the DPAs for each vendor! In ACL GRC, we save the final file at the end of the workflow so everyone can easily access the actual final, signed version of the document. It’s a one-stop-shop for all our DPAs.

A single, easy to access place to store your signed DPAs.

Clear visibility with storyboards

ACL GRC also has self-serve dashboards for different teams, management, and operations. By integrating information from all of our processes, these dashboards provide our teams with visibility into the DPA progress, and we can help easily spot where things get hung-up, and mitigate those issues.

Self-serve dashboards for different teams, management, and operations means you’re not spending time running individual reports.

Auditable trail of who did what

All of the data and metadata is stored in ACL GRC, so at anytime, for any record, we can look back and see who added what, which steps they took, and when. This helps us to build a defensible position and show appropriate due diligence.

Ready to get started?

Managing your data processing addendums doesn’t have to be a pain. With the right technology in place—and processes that are tailored to your organization’s needs—you’ll easily be able to meet your obligations, and have a fail-safe way to make sure everyone is doing what they need to do, when they need to do it.

White paper: GDPR:
How to establish a strong defensible position

Find out the key actionable steps you should take as part of your GDPR planning. In this whitepaper, produced in cooperation with Information Management, we discuss how you can:

  • leverage technology solutions that will allow you to automate herculean tasks
  • establish a solid strategy, strong controls, and effective procedures
  • create a continuous-improvement loop to regularly update your company's compliance efforts and help develop industry gold standards
  • secure executive endorsements and engage cross-functional teams, including IT, legal, operations, and business lines.

Download whitepaper

Share This