Do anyone in here have experience with integrating your company’s requirements in regard to protecting other sensitive data or other general information security requirements in a DPA?
We are certified by the ISO 27001 standard and are therefore required to ensure information security with our suppliers, if they have access to systems or data. On top of that the GDPR requires us to secure personal data and make DPAs with our data processors. Integrating this in one document would be great
Serif Zjakic
DPA should have Appendix which describes how third party will implement Technical and organizational measures to protect your data. You can add there a minimum requirements which you expect from third party (your internal info.sec requirements).
Dave_Wylie
There are definitely check lists of suggested provisions and clauses that should appear in the Terms of Engagement and specifically the DPA that expands that that stipulate clearly all eventualities from a Data Protection perspective ; both in the instances of expected (normal) and unexpected (exception) scenarios (Incidents, breaches, take overs, mergers etc).
Couple this with the Vendor Due Diligence processes in on boarding any new parties you intend to engage to ensure all the information that you need to create and validate the detail of the DSA, will ensure that holistically you are covered.
Hope that helps.