The Truth Behind Data Processing Agreements: Myths vs. Reality

by | Sep 6, 2024

Who Needs a Data Processing Agreement and Why?

A Data Processing Agreement (DPA), also known as a Data Processor Agreement or Data Processing Addendum, is an agreement that defines data processing procedures, security methods and “data subject rights”, among other things. DPAs are between a data controller (the hiring party company) and a data processor (typically a service provider), and governed under the GDPR, Article 28, as well as individual state laws.

Data Processing Agreement are almost always negotiated as part of a separate service agreement. But the role of a DPA is greater than just helping to ensure companies are compliant and protected when it comes to preventing data security incidents. DPAs are also an essential tool for a company’s greater data privacy compliance program and directives on handling personally identifiably information (PII) and sensitive information – which is anything from a person’s name, phone number, social security number,  email address, to biometric data and location tags.

Attorneys can have subjective interpretations of US Privacy Laws, usually due to the varying levels of sophistication regarding technology law and data privacy generally. Often the question come up: is a Data Processing Agreement needed as part of a service agreement? To help you answer this, we want to debunk some key myths regarding DPAs.

Myth #1: You Don’t Need Data Privacy Agreement if the Company Operates Only in the U.S.

Not only is a DPA best practice whenever personal data is being accessed by a service provider, a data processing agreement is also required in several US states, including California (CCPA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Delaware (DPDPA), New York (SHIELD) Act, and others.

It’s notable that the United States is working on a federal law to govern data privacy called the American Privacy Rights Act, which is currently in Congress. While we don’t know if this federal privacy act will pass, it’s clear that the US wants to have all states subject to a blanket of set data privacy laws, which would override the existing state privacy laws.

Washington state recently passed the My Health My Data Act (the Act) on March 31, 2024, which covers consumer health data collected by companies that would not otherwise need to be compliant with the Federal Health Insurance Portability and Accountability Act (HIPAA). This Act opens the door for a new burst of lawsuits under the Washington Consumer Protection Act (WCPA). Illinois’ Biometric Information Privacy Act (BIPA) is another example of a data privacy law that produced a flood of lawsuits – including thousands of class actions.

The takeaway for businesses that operate only in the US is that they should have a DPA in place if there’s any chance that personal data is being processed.

Myth #2: Using a Template DPA is Fine

DPAs are not a one-size-fits-all document, and they should definitely be negotiated. Effective DPAs are tailored to the specific service provided and the scope of the data processing activities. Depending on the risk profile of the company, DPAs can widely differ in content.

The use of a generic template Data Processing Agreement (whether it’s provided by the client, service provider, or elsewhere) is likely to put either too many restrictions than necessary, or fail to include important procedures. Both instances lead to non-compliance with proper data security protocols and subject the company to disciplinary actions, lawsuits, and fines.

The above demonstrates the importance of why data processing agreements need to be tailored to the unique framework between the individual data controller and processor, including the scope, risks and laws surrounding the way data is processed. The Statement of Work or Work order are good starting points.

Myth #3: Data Processing Agreements Provide a Total Shield from Privacy Breach Lawsuits

A DPA isn’t a shelter from all data breach liability, but it can provide a defense to lawsuits for cybersecurity incidents that lead to data breaches. That’s ultimately the top reason the DPA needs to be well drafted and carefully negotiated in conjunction with a master service agreement, a master SaaS Agreement or EULA. The service agreement and any Statements of Work, Service Level Agreements, Business Associate Agreement (if applicable) and DPA should go through legal review together – with a keen eye on having a robust limitation of liability provision covering cybersecurity and an indemnification provision for security incidents.

To round our data privacy best practices for the organization, in addition to having a DPA, your in-house legal team or outside counsel should also spearhead an Internal Risk Assessment and have a cybersecurity compliance framework that is updated at least annually. This ensures that you are routinely addressing cyber risk vulnerabilities for your company, vendors and clients, and is staying in compliance with evolving data privacy laws.

Myth #4: Only Large Organizations Need Data Processing Agreements

Whether you’re a startup or a $40 billion dollar enterprise, DPAs should be signedd when data is collected and processed between businesses. In other words, any entity that collects, processes, retains, or transfers personal data, or has a service provider do so, should have a DPA, regardless of the company’s size.

With the average cost of a data breach in 2024 at $4.88 million, a 10% increase from 2023, data security concerns should also be top of mind for small companies – as they can be wiped out of business by just one cyber security incident. A DPA is a powerful tool to have in your arsenal even if you’re not asked for it right now. Not only does a DPA help to protect you when it comes to a security breach, having a DPA in place also develops trust with clients and partners because it proves a company’s commitment to data privacy best practices. That shows them you are serious about protecting client and employee data.

Myth #5: Data Processing Agreements are One-Time, Standalone Documents

DPAs are not static agreements. That is to says, they are not a one-and-done type task. Data Privacy Laws are constantly evolving, as are data processing behaviors by service providers. DPAs need regular legal reviews and updates to keep up with the laws, the organization’s relationships, and changes in the data processing activities. For example, there will likely be changes to the details of how cross-border data transfers comply with regulations, including reliance on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Adequacy Decisions, procedures regarding the use of sub-processor and updating the list of sub-processors.

Not only are DPAs living, breathing documents that need regular updates, they are also not standalone documents. DPA are used as part of a separate service agreement with a third-party service provider and should be reviewed and negotiated along-side that service agreement and any applicable SOWs or Work Orders.

In conclusion:

Whether you’re a large multinational corporation or a fast-growing small to medium sized business – the data controller or a data processor – understanding the myths surrounding Data Processing Agreements, including when and how to use a DPA – is fundamental to your data processing activities and compliance with the most current data protection laws.

If there’s one takeaway from this article, it’s that you should make sure your DPA accurately reflects the unique context of each data processing relationship and minimize cyber attacks and security breaches.

For further information on data privacy law developments and assistance with DPAs and other technology agreements, contact a Gouchev Law attorney in our Technology Law Practice, the writers of this Insight.

Disclaimer: The information in this article is for general information purposes only. Nothing in this article should be taken as legal advice for any individual case or situation. This information is not intended to create and viewing it does not constitute an attorney-client relationship.

About the Author

Jana Gouchev

Jana Gouchev is the Managing Partner of Gouchev Law and a prominent corporate lawyer on the leading edge of technology law and complex commercial transactions. She delivers legal and commercial insight that propels companies forward. Jana's practice is focused on Corporate Law, Data Privacy and Information Security, Tech Law (consulting, SaaS, and AI), Complex Commercial Contracts, Intellectual Property, and M&A.


Hailing from an AmLaw 50 firm, Jana is the right-hand outside counsel to GCs and executives of the world’s most innovative brands. Jana focuses on working with change-makers. Her client roster includes Estee Lauder, Hearst, Nissan, global tech consulting firms, SaaS companies like Squarespace. Jana is routinely featured in Forbes, Bloomberg, The New York Law Journal, Law360, Modern Counsel, Inc., and Business Insider for her keen business law insights.

More Resources For You