Data protection agreements – specifically, what are they, and as a business, should I have them?
Three types of data
Generally, your business signs data protection agreements with third-parties when you are providing important data to them. Here, data is referred to as one of three types:
- confidential and proprietary data;
- personal data (a.k.a. personal information);
- and any other data that you believe is worth protecting.
Data protection agreement: Protection, privacy and security
Data protection agreements typically cover three general concepts: data protection, data privacy, and data security.
How specific and complicated does my data protection agreement have to be? It depends on two factors:
- to what extent do you, as a business, want to control the protection, privacy, and security of your data in the third party’s hands; and
- what does the law say?
Regarding the first factor, if you rely on a third-party service to store your important data instead of hosting it on your own servers, it is essential to ensure that this data is properly preserved and accessible for your needs. It should not be disclosed improperly to others, and the third-party should have implemented suitable measures to prevent unauthorized access, use, or destruction of the data.
For instance, let us assume that your business does not save its book of business on its own servers but instead stores it in the cloud, using servers owned by a third-party. In this case, it is crucial to have confidence that your data will be adequately preserved and consistently accessible to you. Furthermore, you must ensure that your competitors cannot access your book of business. To achieve this, the third-party should refrain from sharing your data with competitors and implement protective measures. These measures may include requiring login credentials for access, encrypting the data both at rest and in transit. It’s also important to consider whether your book of business contains personal data, in which case the third-party must comply with applicable privacy laws.
Data protection agreement: Legal obligations
The specificity and strength of your data protection agreement are also influenced by the applicable laws. For instance, depending on the nature of the data you possess, retention laws may come into play. These laws typically require you to retain information for a designated period. If a third-party is responsible for storing your data, it is essential to ensure that they are also obligated to adhere to the retention laws.
Privacy law is of utmost importance, particularly in cases where the third-party experiences a data breach involving the personal data for which you are responsible. In such instances, you might be required to report the breach to the Privacy Commissioner or data protection authority in your jurisdiction. Therefore, it is crucial to have a contractual agreement with the third-party that ensures they will notify you in the event of a breach. It is worth noting that privacy laws are becoming increasingly complex, and each jurisdiction is enacting new laws. Staying updated on the latest privacy developments is vital, as non-compliance can result in significant fines. Furthermore, if you work in a profession such as dentistry, law, accounting, or medicine, there may be additional professional privacy obligations that require your consideration.
In addition to retention and privacy laws, there are also cybersecurity laws that focus on implementing security measures to prevent unauthorized access. While privacy laws generally have cybersecurity provisions, other laws may also be applicable.
This brings us to our final question: Should you have a data protection agreement? Unfortunately, the answer is not straightforward. It depends on various factors, such as the type of data you are entrusting to the third party, any legal or ethical obligations you have to ensure their accountability, and the importance of that data to your business.
If you have any questions related to this Article’s content, you may reach out to any lawyer in Siskinds’ Privacy, Cyber & Data Governance Team. You can also reach out to the author, Savvas Daginis—a Canadian and American Business, Technology, and Privacy Lawyer—at [email protected] if you have any questions.