Negotiating and Drafting Data Processing Agreements: Contested Issues, Regulatory Compliance, New Developments

Welcome! Strafford is now BARBRI! The expert courses you know from the trusted global leader in legal education.
Course Details
- smart_display Format
Live Online with Live Q&A
- signal_cellular_alt Difficulty Level
Intermediate
- work Practice Area
Cybersecurity and Data Privacy
- event Date
Wednesday, November 19, 2025
- schedule Time
1:00 p.m. ET./10:00 a.m. PT
- timer Program Length
90 minutes
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Live Online
On Demand
This CLE webinar will guide privacy counsel on the latest developments and strategies for negotiating and drafting data processing agreements (DPAs). The panel will break down the common contested issues when negotiating DPAs and provide compromise tips to help ensure a path to execution.
Faculty

Mr. Austin advises clients on breach response, data privacy, information security, and regulatory compliance related to domestic and international privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Health Insurance Portability and Accountability Act (HIPAA). He is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) by the International Association of Privacy Professionals (IAPP).

Ms. Thomson is a member of the firm’s Cybersecurity & Data Privacy practice and also the firm’s Litigation & Dispute Resolution practice. Sher counsels clients on complex and cutting-edge issues related to cybersecurity, privacy, and big data, along with helping clients navigate the international trade landscape. This includes counseling clients on CFIUS filings, export controls, country-of-origin requirements, and Miscellaneous Tariff Bill petitions. Ms. Thomson also advises clients on employee mobility matters.
Description
It's hard to imagine a business today that doesn't need a DPA—or rather several such contracts—to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU General Data Protection Regulation (GDPR), California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.
A DPA is a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Also, these agreements have become increasingly complex due to the evolving patchwork of privacy laws at the state, federal, and international level. Thus, negotiating various nonessential terms can greatly prolong the path to execution.
Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs and how to work through the common contested issues when negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.
Outline
I. Purpose of a DPA
II. When is DPA required
III. Compliance with regulatory requirements
A. GDPR
B. CCPA
C. Other U.S. states that have laws governing DPAs
D. U.S. Bulk Data Transfer Rule
IV. Penalties for noncompliance
V. Negotiating key terms of a DPA
A. Limitation of liability
B. Use of subprocessors
C. Security measures
D. Responding to data breaches
E. Audit rights
VI. New developments and trends
VII. Practitioner pointers and key takeaways
Benefits
The panel will review these and other relevant issues:
- Which data protection laws require DPAs?
- What are the required terms of a DPA?
- What are the privacy and security considerations for DPAs?
- What are the key considerations and what to watch out for when signing a DPA?
- Do processors have to sign a DPA with their subprocessors?
- What are the top pain points when negotiating DPAs, and what are some key compromise tips?
- What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other states' privacy laws?
Unlimited access to premium CLE courses:
- Annual access
- Available live and on-demand
- Best for attorneys and legal professionals
Unlimited access to premium CPE courses.:
- Annual access
- Available live and on-demand
- Best for CPAs and tax professionals
Unlimited access to premium CLE, CPE, Professional Skills and Practice-Ready courses.:
- Annual access
- Available live and on-demand
- Best for legal, accounting, and tax professionals
Unlimited access to Professional Skills and Practice-Ready courses:
- Annual access
- Available on-demand
- Best for new attorneys
Related Courses

Negotiating and Drafting Data Processing Agreements: Contested Issues, Regulatory Compliance, New Developments
Wednesday, November 19, 2025
1:00 p.m. ET./10:00 a.m. PT
Recommended Resources
Explore the Advantages of Consistent Legal Language
- Learning & Development
- Business & Professional Skills
- Talent Development
The Power of Project Management: Using the 80/20 Rule in E-Discovery
- Legal Technology
- E-Discovery