News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Building a culture of privacy: Data processing contracts for the win Related reading: How to build a 'culture of privacy'

rss_feed

This series for The Privacy Advisor by the team at Sentinel, a privacy consultancy and the company behind the privacy program management technology Ethos, examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this third article, we look at privacy through the lens of contractual obligations and show how a culture of privacy will enable organizations to more easily meet those obligations. Find the first two articles in the series here.

Beyond the parties

There are always at least two parties to any data processing contract, and, as privacy professionals, our aim should be to make the contracting process meet the strategic needs of all interested parties — including the signatories and, increasingly, downstream processors, as well as the data subjects themselves. Where contracts deal with personal information, it is important to consider the data subject’s perspective. Increased transparency requirements through laws like the EU General Data Protection Regulation and California Consumer Privacy Act give individuals more visibility than ever before of how their data is being shared with multiple companies and for what purposes. Ignoring the expectations of consumers is increasingly likely to result in issues long after contracts have been negotiated and filed away.

Acknowledging that the terms “controller” and “processor” are expressed differently depending on jurisdiction, we will use them to identify these key participants more broadly. Controllers have a direct relationship and responsibility to the individuals whose data they have gathered. Part of that responsibility is carefully evaluating and selecting partners (i.e., processors) to support their data processing activities. From a controller’s perspective, the goal of onboarding a processor is to deliver a business outcome while managing risk. Contracts are an important vehicle to achieve this, but the contracting process itself can often be lengthy and risk mitigation can sometimes take a back seat to more tactical considerations.

While processors in most cases do not owe the same responsibilities to individuals whose data they process, they have a lot of skin in the game, too. Every cloud company, for example, is likely a much larger entity than most of its customers and is party to many more data processing contracts. Processors need to be able to tell a privacy story that will meet the needs of the majority of their current and potential customers’ contractual asks, whether these are based on regulations or common controls that broadly cover “reasonable” security or privacy concerns. Optimizing this engagement process can make a big difference in the "cost of compliance."

With these driving factors in mind, let's turn to the contracting process itself.

Boilerplate battles miss the point

Many privacy professionals, especially those with privacy programs in the early phases of maturity, focus their contractual review almost exclusively on regulatory and indemnification requirements. “Gotcha! The data protection addendum is missing XYZ requirement. We can’t proceed without it.” However, this adversarial approach misses the greater opportunity to discuss primary business drivers while evangelizing the benefits of privacy practices for both parties.

Critical business objectives, such as maintaining a transparent and responsive data processing relationship or the ability to demonstrate strict customer data segregation, are commonly more important to the parties than standard compliance terms, particularly for businesses operating as data processors for other entities. Focusing on each party’s strategic business objectives instead of “must-have” boilerplate provisions provides an opportunity to strengthen the partnership and build resiliency to address the shifting privacy landscape. How then do you promote good privacy measures while recognizing critical business objectives? By turning the emphasis from compliance to building a culture of privacy.

Shift your focus for a new perspective on privacy

To demonstrate this point, assume for a moment that holding a data subject’s PI is a privilege and a position of trust. With this perspective, the responsibility to ensure transparent and secure processing is self-evident.

For the legally inclined, consider the analogy of a bailment. A bailment is the act of placing property in the custody and control of another, in which the holder (bailee) is responsible for the safekeeping of the property. A common example of bailment is checking out a library book. In bailment law, when property is given to the bailee for the sole benefit of the bailee (i.e., the owner of the property receives no benefit from the bailee’s use of their property), the law imposes a duty of extraordinary care to keep the property safe and return it to its owner. As checking out a library book is a bailment for the sole benefit of the reader, if the reader fails to return or damages the book the obligation to pay is clear.

Using this framework in the data processing context, if there is no clear benefit to the data subject, a data controller and, by extension, their subsequent processors, must handle the PI with extraordinary care and, depending on jurisdiction, may even be subject to liability without any showing of actual fault.

Whether you agree with the fiduciary or bailment model of data custodian or not, it’s clear that legislators and regulators are considering aspects of this framework. Concepts such as a data subject's ownership of their PI and requiring companies to publicly declare how they value consumer data sets the stage for legislative adoption of high levels of care in processing. Given evolving privacy standards, taking a data custodian viewpoint when forming and carrying on data processing relationships is future-proofing your data processing agreements by doing the right things, not merely the minimum legal standard.

Business resiliency from a partnership approach to privacy

One essential step is to align your internal stakeholders on privacy. You will be hard-pressed to sustain collaborative privacy partnerships if key stakeholders within your own organization do not share a common vision for how PI should be processed and managed. Address divergent viewpoints by creating opportunities within your organization to align privacy measures with stated business values.

If you don’t already have one, solicit leadership to charter a privacy working group of internal stakeholders including privacy, legal, compliance, vendor risk management, information services and key business units. This working group should be tasked with reviewing and making recommendations to leadership on organizational privacy issues. An inclusive and empowered working group promotes privacy competence, avoids the common pitfalls of siloed business operations, and aligns both data processing and external communications. This can help to avoid common challenges, such as enthusiastic salespeople trying to meet their quota before quarter end by agreeing to any data protection requirements, even if they are significantly out of line with an organization’s posture.

With a unified organizational position on privacy, partner agreements can be more open and collaborative. Coming to the table truly informed on your organization’s priorities and practices dramatically increases the effectiveness of contracts and assures the terms will be honored once in place. Instead of competing for the most favorable terms or sometimes even to secure terms necessary to keep your own organization in line, the contracting process presents an opportunity to discuss each party’s business objectives and dependencies and build partner trust. This shift in focus from “winning” allows for more consideration of data subject rights and how the parties can best cooperate in a dynamic regulatory and consumer sentiment environment.

Culture of privacy for the win-win-win

The benefits of promoting a culture of privacy within your organization are many-fold. One is the bandwidth recovered to consider both partner and customer needs when drafting data processing agreements. This shift in focus provides greater organizational benefits than defensive contracting and promotes relationship trust and resiliency in the face of changing business pressures and evolving regulatory burdens. Additionally, building a foundation of common understanding and reliable performance makes subsequent amendments or renegotiations that much easier. This privacy win-win-win approach to contracting is an essential part of establishing a culture of privacy within your organization.

Photo by La-Rel Easter on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Grant Barrett, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
How to build a 'culture of privacy'
2
It has become clear that data privacy is an imperative for any organization that collects or uses personal data — and let’s face it, that’s pretty much every organization. But most companies still aren’t putting the necessary resources into their privacy programs, and as a result they fall short of ...
Read More queue Save This
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
Related Stories
Tags
Privacy Operations Management
Recent Comments