BarbriSFCourseDetails
  1. keyboard_arrow_leftBack

Course Details

Course Information
  • smart_display Format

    On-Demand

  • signal_cellular_alt Difficulty Level

    Intermediate

  • work Practice Area

    Commercial Law

Date & Time
  • event Date

    Tuesday, December 17, 2024

  • schedule Time

    1:00 p.m. ET./10:00 a.m. PT

  • timer Program Length

    90 minutes

Credit Information

  • This 90-minute webinar is eligible in most states for 1.5 CLE credits.

$297.00
CLE
ALL

This CLE webinar will guide corporate and technology counsel in negotiating data processing agreements (DPAs). DPAs are an essential but often overlooked part of data security for businesses. The panel will break down the pain points when negotiating DPAs and provide compromise tips to help ensure a path to execution.

Faculty

Susan L. Ross
Senior Counsel
Norton Rose Fulbright, LLP

Ms. Ross’ practice focused on technology and U.S. privacy matters. Her extensive experience with technology and technology contracts includes negotiating, drafting, and interpreting over 10,000 computer hardware and software, SaaS, consulting, outsourcing, Internet, electronic signatures, web hosting, application service providers and non-disclosure agreements, many of which were for a federal government contractor. Ms. Ross also handles U.S. privacy matters, including security breach laws, as well as assisting clients with their questions and compliance efforts relating to Red Flag Rule, Health Insurance Portability and Accountability Act Privacy and Security Rules, Gramm-Leach-Bliley, Telephone Consumer Protection Act, CAN-SPAM, California Consumer Privacy Act, and Fair and Accurate Credit Transactions Act. Sue has assisted clients with privacy and information security questions relating to the Payment Card Industry standards, provided counseling on a wide variety of matters that raised privacy issues, and created privacy policies (including Binding Corporate Rules) for corporations, as well as for websites. Ms. Ross is part of the firm's FinTech team, frequently speaking and writing on cryptocurrency, blockchain, and smart contract issues.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio
Leighton B.R. Allen
Associate
Foley & Lardner LLP

Mr. Allen negotiates favorable commercial contracts for organizations in the areas of software as a service (SaaS) licensing, software licensing, IP sales and acquisitions, and data transfer and data processing. He has also advised clients on developing proper data handling and processing practices to comply with the latest developments in U.S. state data privacy laws. Mr. Allen is a member of the firm’s Technology Transactions, Cybersecurity, and Privacy Practice. Prior to joining Foley, he was a cybersecurity and data privacy associate at a Chicago law firm where he counseled small and large entities, including merchants, health systems, hospitals, accounting and consulting firms, and educational institutions on identifying, evaluating, and managing first- and third-party data privacy and security risks. Mr. Allen also assisted in the analysis of compliance responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and related state, federal, and international cybersecurity laws and regulations.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio

Description

It's hard to imagine a business today that doesn't need a DPA--or rather several such contracts--to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.

DPAs are a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Thus, negotiating various nonessential terms can greatly prolong the path to execution.

Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs, and how to work through the pain points of negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.

Outline

  1. Purpose of a DPA
  2. When is DPA required
  3. Compliance with regulatory requirements
    1. CCPA
    2. Other U.S. states that have laws governing DPAs
  4. Penalties for noncompliance
  5. Negotiating key terms of a DPA
    1. Limitation of liability
    2. Use of subprocessors
    3. Security measures
    4. Responding to data breaches
    5. Audit rights

Benefits

The panel will review these and other relevant issues:

  • Which data protection laws require DPAs?
  • What are the required terms of a DPA?
  • What are the privacy and security considerations for DPAs?
  • What are the key considerations and what to watch out for when signing a DPA?
  • Do processors have to sign a DPA with their subprocessors?
  • What are the top pain points when negotiating DPAs, and what are some key compromise tips?
  • What are the penalties for noncompliance with the DPA requirements of the CCPA, and other states' privacy laws?