When working with development teams on privacy compliance, a common misconception comes up regularly: "We have a Master Services Agreement with our supplier, so we are covered for data protection."
This assumption misses a critical distinction.
An MSA effectively addresses the business relationship. Pricing, delivery terms, intellectual property, confidentiality. But personal data processing involves specific requirements that standard confidentiality clauses cannot adequately address.
The Gap in Your Contracts
Most Master Services Agreements treat information as either confidential or non-confidential. Privacy law operates differently. Personal data requires specific handling protocols regarding collection, use, storage, and deletion, plus rules governing access, breach notification timelines, and data subject rights.
These provisions typically do not appear in standard MSAs. And importantly, you need a Data Processing Agreement regardless of whether you are managing international data transfers or handling purely domestic information. The border question is a separate one.
What Actually Needs to Be in Your DPA
A comprehensive Data Processing Agreement should address elements that are absent from typical MSAs:
- Data specificity: Define exactly what data is processed and why. "Customer information" lacks sufficient clarity. Differentiate between email addresses collected for notifications, payment details, and usage analytics.
- Role definitions: Establish whether parties function as controllers or processors, along with the corresponding responsibilities and accountability structures.
- Subprocessor management: Clarify whether suppliers can engage third parties with your data, under what conditions, and whether you receive notification and objection rights.
- Security and breach management: Specify required security measures, breach notification protocols, and response timelines.
- Data subject rights: Define how suppliers assist with access requests, deletions, and other rights exercises, including timelines and delivery formats.
- Compliance verification: Include audit rights and assessment capabilities to verify supplier adherence to security standards.
- Data lifecycle management: Address retention periods post-contract termination and assign liability responsibilities.
The Supplier Focus
While clients typically provide their own DPAs when you serve as a processor, supplier relationships often lack formal agreements, particularly with smaller vendors. In these cases, presenting your own DPA becomes essential.
Getting This Right
Operating without DPAs in supplier relationships creates ambiguity that tends to surface at the worst possible moments: during audits, client vendor assessments, or security incidents. This is not about compliance checkboxes. It is about establishing clarity around who is responsible for what when something goes wrong.
If you are reviewing your supplier contracts and are not sure where the gaps are, reach out.