Description
It's hard to imagine a business today that doesn't need a DPA—or rather several such contracts—to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU General Data Protection Regulation (GDPR), California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.
A DPA is a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Also, these agreements have become increasingly complex due to the evolving patchwork of privacy laws at the state, federal, and international level. Thus, negotiating various nonessential terms can greatly prolong the path to execution.
Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs and how to work through the common contested issues when negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.
Presented By
Bio for Annie Attorney; loves horses and arguments
This is a bio for Big Boat. Big Boat is an avid reader and unicyclist.
This is a bio for speaker, Roller Coaster. Roller Coaster enjoys walks on the beach and pizza with pineapple.
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Date + Time
- event
Wednesday, November 19, 2025
- schedule
1:00 p.m. ET./10:00 a.m. PT
I. Purpose of a DPA
II. When is DPA required
III. Compliance with regulatory requirements
A. GDPR
B. CCPA
C. Other U.S. states that have laws governing DPAs
D. U.S. Bulk Data Transfer Rule
IV. Penalties for noncompliance
V. Negotiating key terms of a DPA
A. Limitation of liability
B. Use of subprocessors
C. Security measures
D. Responding to data breaches
E. Audit rights
VI. New developments and trends
VII. Practitioner pointers and key takeaways
The panel will review these and other relevant issues:
- Which data protection laws require DPAs?
- What are the required terms of a DPA?
- What are the privacy and security considerations for DPAs?
- What are the key considerations and what to watch out for when signing a DPA?
- Do processors have to sign a DPA with their subprocessors?
- What are the top pain points when negotiating DPAs, and what are some key compromise tips?
- What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other states' privacy laws?
Related Courses
afdfasdfafdsafdsfd
Available On-Demand
New Cybersecurity Maturity Model Certification Program: Compliance Obligations; Implications for DoD Contractors
1:00 p.m. ET./10:00 a.m. PT
Negotiating and Drafting Data Processing Agreements: Contested Issues, Regulatory Compliance, New Developments
Wednesday, November 19, 2025
1:00 p.m. ET./10:00 a.m. PT
