top of page
Search

What Every Business Needs to Know About Data Processing Agreements - and What New U. S. Laws Could Mean for You

As businesses increasingly adopt software-as-a-service (SaaS) tools for operations, the focus often remains on benefits like efficiency, scalability, and cost savings. However, one critical aspect that cannot be overlooked is data privacy and compliance. If your company processes any personal data, even something as simple as an employee email address, a Data Processing Agreement (DPA) is not just a legal formality—it’s a necessity.



If you're not already using DPAs, new laws coming to the U.S. could make them mandatory sooner than you think.


What Is a Data Processing Agreement, What are We Protecting, and Why Does It Matter?


A DPA is a legal contract between your company and any third-party service providers (like SaaS vendors) that outlines how personal data is handled and protected. Many businesses mistakenly think that DPAs are only necessary for large corporations or for companies operating in Europe under the General Data Protection Regulation (GDPR). But in reality, if your business processes any personal data through a third party, no matter where you're based, you need a DPA.


Personal data doesn’t just include sensitive information like social security numbers or credit card details. It is any information that can be used to identify an individual, either directly or indirectly. This includes details such as:


  • Names: Full names or initials.

  • Contact Information: Email addresses, phone numbers, and home addresses.

  • Identifiers: Social security numbers, driver’s license numbers, and IP addresses.

  • Demographic Information: Age, gender, race, and marital status.

  • Financial Information: Bank account numbers and credit card details.

  • Health Information (PHI): Medical records and health conditions.


In a corporate setting, personal data can include additional categories of information beyond basic identification details like:


  1. Employee Records:

    • Job titles, salaries, and performance evaluations.

    • Employment history and references.

  2. Human Resources Data:

    • Benefits enrollment information, including health insurance and retirement accounts.

    • Leave requests, disciplinary actions, and attendance records.

  3. Contact Information:

    • Work email addresses, phone numbers, and office locations.

  4. Professional Identifiers:

    • Employee ID numbers and login credentials for company systems.

  5. Financial Information:

    • Bank account information for payroll purposes.

    • Reimbursement details for expenses.

  6. Training and Development Data:

    • Records of completed training programs, certifications, and professional development courses.

  7. Surveys and Feedback:

    • Responses to employee satisfaction surveys or feedback forms.

  8. Digital Activity Logs:

    • Tracking of employee activities on company devices, such as browser history or software usage.

  9. Biometric Data:

    • Fingerprints, facial recognition data, or other biometric identifiers used for security purposes.

  10. Communication Records:

    • Emails, chat logs, or any correspondence that includes personal information.


Essentially, any information that can link back to an individual and is used in the course of business operations can be considered personal data. This data must be handled with care to comply with data protection laws and regulations.


Incoming U.S. Legislation: Why You Need to Prepare Now


Although GDPR gets most of the spotlight, similar laws are rapidly being introduced across the U.S. For example:


- The California Consumer Privacy Act (CCPA) has already set stringent guidelines for how companies must protect consumer data.

- The Virginia Consumer Data Protection Act (CDPA) went into effect in 2023, bringing GDPR-like provisions to Virginia-based businesses.

- The Colorado Privacy Act (CPA) is scheduled to take effect in 2024, further expanding data privacy protections.

And there’s more on the horizon. States like Texas, Utah, and Connecticut are working on their own versions of data protection laws, and Congress has been discussing the American Data Privacy Protection Act (ADPPA)—a federal bill that would create a national framework for data privacy regulations.


All these regulations share a common theme: businesses will need to get serious about how they handle personal data, no matter where they’re located. As these laws come into play, DPAs will be a legal necessity, not just a nice-to-have.


What Happens If You Don’t Have a DPA?


Failing to have a DPA in place can leave your company vulnerable to severe risks:


1. Data Breaches: Without a DPA, there may be no formal agreement on how your SaaS provider protects your data. In the event of a breach, you could face legal and financial fallout, including loss of customer trust.

2. Regulatory Fines: With GDPR, CCPA, and new U.S. state laws, businesses can be fined millions for not adhering to data protection standards. For example, under the GDPR, companies can be fined up to €20 million or 4% of their global revenue. Under the CCPA, fines depend on intent and consumers have the right to sue for statutory damages of up to $750 per consumer per incident.

3. Limited Recourse: If a SaaS provider mishandles your data, a DPA gives you legal grounds to hold them accountable. Without it, you may have little or no legal recourse.


Why Every Business—Big or Small—Needs a DPA


You might think that data privacy laws only apply to large corporations, but even small businesses are vulnerable. According to a 2023 report by Verizon, 46% of all cyberattacks target small businesses*. This alarming statistic underscores the pressing need for all companies, regardless of size, to take data privacy seriously. Cybercriminals often view smaller organizations as easier targets due to limited resources and less robust security measures.


With more states introducing laws similar to the GDPR, the landscape of data privacy is evolving rapidly. States like California, Virginia, and Colorado have enacted their own consumer privacy laws, and many other states are following suit. This trend means that even smaller businesses will need DPAs to ensure they meet compliance and protect themselves from risks associated with data breaches and regulatory fines.


A DPA serves as a critical shield for your organization, clarifying the responsibilities of both parties when it comes to handling personal data. Whether you're a startup using a Customer Relationship Management (CRM) tool or a growing company relying on Human Resource management software, you are responsible for the data that your third-party SaaS providers process. This responsibility includes:


  • Understanding Data Handling Practices: You need to know how your SaaS providers collect, store, and process personal data. A DPA provides transparency and ensures that the provider's practices align with your company’s data protection standards.

  • Ensuring Compliance: Compliance isn’t just a legal obligation; it’s also a crucial aspect of maintaining customer trust. A DPA helps ensure that your business adheres to relevant regulations, such as CCPA or GDPR, minimizing the risk of fines and reputational damage.

  • Mitigating Risk: In the event of a data breach, having a DPA in place allows you to hold your service provider accountable. It outlines their responsibilities for data security and breach notification, giving you legal grounds to seek recourse if they fail to protect your data.

  • Building Customer Trust: Consumers are increasingly concerned about how their personal data is handled. Demonstrating that you have robust data protection agreements in place can enhance your reputation and instill confidence in your customers.

  • Scalability and Growth: As your business grows and you adopt more SaaS solutions, the complexity of managing personal data increases. A DPA is essential for scaling your operations without compromising data privacy.


How to Know When a DPA Is Necessary


If you’re unsure whether your business needs a DPA, ask yourself:


1. Does my company share any personal data with a third-party SaaS provider?


2. Is any of this data regulated under current or upcoming data protection laws (e.g., CCPA, GDPR)?


3. Does the SaaS tool process sensitive information like health records, financial transactions, or personal identifiers?


If the answer is "yes" to any of these, you need a DPA in place before signing a contract with that provider.


How to Implement DPAs in Practice


Implementing a DPA isn’t as daunting as it might seem. By taking a proactive approach, your business can protect itself and ensure compliance with data protection laws. Here are the key steps to prepare for using a DPA:


  • Map Out Your Data Flows: Identify what personal data your business collects and where it’s stored or processed. Understand which SaaS tools or third-party vendors handle this data and for what purposes.


  • Understand Your Legal Obligations: Review the relevant data protection laws in your jurisdiction—GDPR, CCPA, or emerging state laws—and determine what they require from both you and your service providers. The International Association of Privacy Professionals (IAPP) is an excellent resource for staying current on global data protection regulations.


  • Conduct a Vendor Risk Assessment: Assess each SaaS vendor’s data protection capabilities. Check their compliance with relevant regulations and their history with data breaches. You should only work with vendors who can meet your security and privacy requirements.


  • Negotiate the Terms of the DPA: The DPA should cover specific details like data retention policies, breach notification requirements, and the vendor's security measures. Make sure the agreement includes the right to audit their compliance with the agreed terms.


  • Monitor and Review Regularly: Once your DPA is in place, don’t just file it away. Regularly monitor your SaaS provider’s compliance with the agreement and review it as laws evolve or your data processing needs change.


  • Train Your Team: Ensure that your employees understand the importance of DPAs and their role in protecting personal data. Training on data privacy practices should be a part of your ongoing compliance strategy.


How Procurement Counsel Can Help You Stay Ahead of the Law


At Procurement Counsel, we specialize in procurement and contract management with a focus on data protection compliance. We understand the intricacies of U.S. data protection laws and can help you put DPAs in place that protect your business from the legal, financial, and reputational risks of data breaches.


Here’s how we can help:


  • DPA Assessment: We’ll assess whether you need a DPA when purchasing SaaS tools and ensure you’re compliant with both current and upcoming laws.

  • Contract Negotiation: We’ll help you negotiate DPAs and other contractual terms with your SaaS providers to protect your business interests.

  • Regulatory Guidance: With new U.S. laws coming into effect, our team stays ahead of the regulatory landscape, ensuring your business remains compliant, no matter where you operate.


Data privacy is not just a concern for big corporations; it affects businesses of all sizes. And with pending U.S. legislation, DPAs are becoming a critical component of every business’s legal toolkit. Protect your business today by partnering with Procurement Counsel.


Visit procurementcounsel.net to learn more about how we can help safeguard your business against data privacy risks while maximizing your SaaS investments. Don’t wait until regulations force your hand—be proactive with your data protection strategy today.



*Source: 2023 Data Breach Investigations Report. Verizon DBIR 2023

 
 
 

Comments

Let’s Work Together

CONTACT

info@procurementcounsel.net

Tel: 978-604-9613

  • LinkedIn
  • Facebook

© 2025 by Procurement Counsel.

bottom of page