Negotiating and Drafting Data Processing Agreements | CLE Course

BarbriSFCourseDetails

BarbriPdBannerMessage

campaign

Welcome! Strafford is now BARBRI! The expert courses you know from the trusted global leader in legal education.

Course Details

Course Information

smart_display Format
Live Online with Live Q&A
signal_cellular_alt Difficulty Level
Intermediate
work Practice Area
Cybersecurity and Data Privacy

Date & Time

event Date
Wednesday, November 19, 2025
schedule Time
1:00 p.m. ET./10:00 a.m. PT
timer Program Length
90 minutes

Credit Information

This 90-minute webinar is eligible in most states for 1.5 CLE credits.
Choose a State

Live Online

On Demand

Early Bird Pricing!

MSRP

$297.00

$252.45

Save $44.55

Discount expires 10/13/25

This course is $0 with these passes:

CLE

ALL

This CLE webinar will guide privacy counsel on the latest developments and strategies for negotiating and drafting data processing agreements (DPAs). The panel will break down the common contested issues when negotiating DPAs and provide compromise tips to help ensure a path to execution.

Faculty

Patrick J. Austin

Of Counsel

Woods Rogers PLC

Mr. Austin advises clients on breach response, data privacy, information security, and regulatory compliance related to domestic and international privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Health Insurance Portability and Accountability Act (HIPAA). He is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) by the International Association of Privacy Professionals (IAPP).

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio

Amber C. Thomson

Partner

Mayer Brown LLP

Ms. Thomson is a member of the firm’s Cybersecurity & Data Privacy practice and also the firm’s Litigation & Dispute Resolution practice. Sher counsels clients on complex and cutting-edge issues related to cybersecurity, privacy, and big data, along with helping clients navigate the international trade landscape. This includes counseling clients on CFIUS filings, export controls, country-of-origin requirements, and Miscellaneous Tariff Bill petitions. Ms. Thomson also advises clients on employee mobility matters.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio

Description

It's hard to imagine a business today that doesn't need a DPA—or rather several such contracts—to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU General Data Protection Regulation (GDPR), California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.

A DPA is a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Also, these agreements have become increasingly complex due to the evolving patchwork of privacy laws at the state, federal, and international level. Thus, negotiating various nonessential terms can greatly prolong the path to execution.

Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs and how to work through the common contested issues when negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.

Outline

I. Purpose of a DPA

II. When is DPA required

III. Compliance with regulatory requirements

A. GDPR

B. CCPA

C. Other U.S. states that have laws governing DPAs

D. U.S. Bulk Data Transfer Rule

IV. Penalties for noncompliance

V. Negotiating key terms of a DPA

A. Limitation of liability

B. Use of subprocessors

C. Security measures

D. Responding to data breaches

E. Audit rights

VI. New developments and trends

VII. Practitioner pointers and key takeaways

Benefits

The panel will review these and other relevant issues:

Which data protection laws require DPAs?
What are the required terms of a DPA?
What are the privacy and security considerations for DPAs?
What are the key considerations and what to watch out for when signing a DPA?
Do processors have to sign a DPA with their subprocessors?
What are the top pain points when negotiating DPAs, and what are some key compromise tips?
What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other states' privacy laws?