- videocam Live Online with Live Q&A
- calendar_month November 19, 2025 @ 1:00 p.m. ET./10:00 a.m. PT
- signal_cellular_alt Intermediate
- card_travel Cybersecurity and Data Privacy
- schedule 90 minutes
Negotiating and Drafting Data Processing Agreements: Contested Issues, Regulatory Compliance, New Developments
Welcome! Strafford is now BARBRI! The expert courses you know from the trusted global leader in legal education.
Description
It's hard to imagine a business today that doesn't need a DPA—or rather several such contracts—to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU General Data Protection Regulation (GDPR), California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.
A DPA is a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Also, these agreements have become increasingly complex due to the evolving patchwork of privacy laws at the state, federal, and international level. Thus, negotiating various nonessential terms can greatly prolong the path to execution.
Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs and how to work through the common contested issues when negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.
Presented By

Mr. Austin advises clients on breach response, data privacy, information security, and regulatory compliance related to domestic and international privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Health Insurance Portability and Accountability Act (HIPAA). He is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) by the International Association of Privacy Professionals (IAPP).

Ms. Thomson counsels a wide range of clients, including private equity firms, financial institutions, and retailers, on complex and cutting-edge issues related to cybersecurity and privacy. She also helps clients assess and implement compliance and remediation efforts to comply with international and domestic regulations, including U.S. state comprehensive privacy laws, CPRA, COPPA, HIPAA, TCPA, PCI DSS, CAN SPAM, and GDPR. Ms. Thomson’s cybersecurity incident experiences range from deepfakes to double- and triple-extortion ransomware attacks. Carrying out these efforts, she advises clients through the incident response life cycle, including remediation, investigation, and notification. Ms. Thomson also represents clients in class-action data breach litigation cases and helps clients respond to federal and state regulatory inquiries that result from these incidents. Further, Ms. Thomson regularly collaborates on privacy and data security due diligence and facilitates executive and board training on incident response, privacy legal compliance, and the U.S. cybersecurity and privacy law landscape. She is recognized as a Certified AI Governance Professional (AIGP) by the International Association of Privacy Professionals (IAPP).
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Live Online
On Demand
Date + Time
- event
Wednesday, November 19, 2025
- schedule
1:00 p.m. ET./10:00 a.m. PT
Outline
I. Purpose of a DPA
II. When is DPA required
III. Compliance with regulatory requirements
A. GDPR
B. CCPA
C. Other U.S. states that have laws governing DPAs
D. U.S. Bulk Data Transfer Rule
IV. Penalties for noncompliance
V. Negotiating key terms of a DPA
A. Limitation of liability
B. Use of subprocessors
C. Security measures
D. Responding to data breaches
E. Audit rights
VI. New developments and trends
VII. Practitioner pointers and key takeaways
Benefits
The panel will review these and other relevant issues:
- Which data protection laws require DPAs?
- What are the required terms of a DPA?
- What are the privacy and security considerations for DPAs?
- What are the key considerations and what to watch out for when signing a DPA?
- Do processors have to sign a DPA with their subprocessors?
- What are the top pain points when negotiating DPAs, and what are some key compromise tips?
- What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other states' privacy laws?
Unlimited access to premium CLE courses:
- Annual access
- Available live and on-demand
- Best for attorneys and legal professionals
Unlimited access to premium CPE courses.:
- Annual access
- Available live and on-demand
- Best for CPAs and tax professionals
Unlimited access to premium CLE, CPE, Professional Skills and Practice-Ready courses.:
- Annual access
- Available live and on-demand
- Best for legal, accounting, and tax professionals
Unlimited access to Professional Skills and Practice-Ready courses:
- Annual access
- Available on-demand
- Best for new attorneys
Related Courses

New Cybersecurity Maturity Model Certification Program: Compliance Obligations; Implications for DoD Contractors
Wednesday, December 10, 2025
1:00 p.m. ET./10:00 a.m. PT

New Amendments to Children’s Online Privacy Protection Act Rule
Available On-Demand
Recommended Resources
Explore the Advantages of Consistent Legal Language
- Learning & Development
- Business & Professional Skills
- Talent Development
The Power of Project Management: Using the 80/20 Rule in E-Discovery
- Legal Technology
- E-Discovery