In the first part of this series about Data Protection Agreements (DPAs), I covered five common privacy-related issues. But not all data is “personal data.” There are many other types of non-personal data that a company can own, such as confidential, sensitive, and otherwise private or proprietary data. While data privacy risks are lower when dealing with non-personal data, said data could still be commercially sensitive and valuable to your organization. In this article, I will cover five common non-privacy-related issues for customer/controllers to consider when negotiating a DPA.
1. License to Use Customer Data
This clause should set out that each party owns their intellectual property, each party provides a mutual exchange of licenses to their respective intellectual property, and details what exactly the other party can do with the intellectual property. You as the customer will need to provide a license to your customer data (both personal and non-personal) so the SaaS provider can use it in connection with the platform.
Be mindful of the scope of the license granted here. Some SaaS providers request a right to use your information to “improve the performance of” their platform or for “market analysis.” This type of language affords a processor quite broad rights to your data. Where the data is highly commercially sensitive, you should either push back on this language in the redlines, insist that any such data is anonymized and de-aggregated, or draft further limitations on the use and disclosure of your data.
Data aggregation and anonymization are not necessarily the panacea to this issue. If you are the only provider of a particular service or one of a few providers in your field, a determined processor can find a way to identify your data by combining it with other pieces of information from their own (or third party’s) database or from public information on the web. For example, anonymized data could provide that “a” company was founded in 1955 and has 38,000 locations to date. A simple Google search combining those two bits of information would give away that the company being described is McDonald’s. To mitigate this risk, you could propose a contractual obligation not to reverse-identify, such as, “Supplier will not attempt to or actually de-identify any previously aggregated, deidentified, or anonymized data.”
2. Audit Rights
One of the key challenges encountered when negotiating a DPA is securing appropriate rights to audit. On the one hand, as a customer, you want to ensure that you have appropriate access to data centers to ensure your data is being held securely. On the other hand, you have a SaaS provider operating a one-to-many service model, meaning they have promised all of their customers the same level of confidentiality and security. This uniform approach may be compromised if you are offered unfettered rights of audit and other customers are not.
Depending on the customer profile, value of the deal, and hosting restrictions, SaaS providers may either permit you to conduct a limited audit at your expense or provide you with a summary report of their audit. Where an on-site audit is permitted, it should be during business hours, at a time convenient for the SaaS provider, and with their experts on hand. This is required so that they can maintain confidentiality across their network.
Unless you are subject to regulatory outsourcing (see below), you are more likely to be offered access to an audit report or executive summary prepared by an independent auditor. The audit report will generally set out how the auditor’s data security measures comply with industry standards. The two most common sets of industry-standard are based on compliance with ISO27001 and the preparation of a SOC 2 report. Where particularly commercially sensitive data is being shared, it would be useful if a member of your Information Security team reviewed these reports to determine how well the provider has performed in the audit.
3. Regulatory outsourcing
If you work for a business in the financial services sector in Europe, chances are that you will fall under the jurisdiction of either one of the EBA, EIOPA, or ESMA. Each of these authorities has published guidance on outsourcing with cloud providers. It would be worthwhile to review these guidelines as they mandate specific provisions (such as audit, data security, availability of services, and termination) that must be included in your cloud outsourcing agreements.
Some cloud providers, like GCP, have been on the front foot and have produced regulatory maps setting out how their terms and conditions can assist their customers to comply with their regulatory requirements. A good example can be seen here.
Having moved in-house with a cyber insurance business, I have learned how important it is for businesses to have appropriate cyber insurance coverage. Particularly in the current climate where cybercrime is on the rise and more and more businesses find themselves facing cyber security incidents. A recent report shows that the cost of a ransomware attack in the UK could cost $1.08 Million. On this basis, it is a good idea to include an obligation on the SaaS provider to obtain and maintain appropriate coverage for privacy and cybersecurity liabilities, large enough to cover potential losses which may be incurred and to provide evidence of such insurance on written request.
While we always plan for successful long-term relationships, every agreement should consider how the relationship will end. Where data is involved, it is useful to understand:
how long it would take to download your data;
how easy it would be to migrate to another provider;
whether the data can be downloaded in a useful format; and
whether or not you require assistance in migrating data.
The key risk to avoid with this clause is being locked into using the same vendor and being in a position where you cannot move to another provider because of operational complexity. Responses to these questions will enable you to draft an appropriate termination clause to move between providers with minimal operational disruption.
* * *
For five other common issues you may face when negotiating a DPA, check out the first part of this series.
Hussein is a UK-qualified technology lawyer at CFC Underwriting, a technology focussed insurance business. Prior to moving in-house Hussein trained and qualified into the technology team at Pinsent Masons in London and completed a secondment with Google Cloud. Hussein has a keen interest in data privacy, AI, and emerging technologies.