BarbriSFCourseDetails
  • videocam Live Online with Live Q&A
  • calendar_month November 19, 2025 @ 1:00 p.m. ET./10:00 a.m. PT
  • signal_cellular_alt Intermediate
  • card_travel Cybersecurity and Data Privacy
  • schedule 90 minutes

Negotiating and Drafting Data Processing Agreements: Contested Issues, Regulatory Compliance, New Developments

$297.00

This course is $0 with these passes:

BarbriPdBannerMessage

Description

It's hard to imagine a business today that doesn't need a DPA—or rather several such contracts—to cover data-processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU General Data Protection Regulation (GDPR), California's Consumer Privacy Protection Act, and other states' data privacy laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.

A DPA is a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Also, these agreements have become increasingly complex due to the evolving patchwork of privacy laws at the state, federal, and international level. Thus, negotiating various nonessential terms can greatly prolong the path to execution.

Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs and how to work through the common contested issues when negotiating the nonessential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.

Presented By

Patrick J. Austin
Of Counsel
Woods Rogers PLC

Mr. Austin advises clients on breach response, data privacy, information security, and regulatory compliance related to domestic and international privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Health Insurance Portability and Accountability Act (HIPAA). He is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) by the International Association of Privacy Professionals (IAPP).

Amber C. Thomson
Partner
Mayer Brown LLP

Ms. Thomson counsels a wide range of clients, including private equity firms, financial institutions, and retailers, on complex and cutting-edge issues related to cybersecurity and privacy. She also helps clients assess and implement compliance and remediation efforts to comply with international and domestic regulations, including U.S. state comprehensive privacy laws, CPRA, COPPA, HIPAA, TCPA, PCI DSS, CAN SPAM, and GDPR. Ms. Thomson’s cybersecurity incident experiences range from deepfakes to double- and triple-extortion ransomware attacks. Carrying out these efforts, she advises clients through the incident response life cycle, including remediation, investigation, and notification. Ms. Thomson also represents clients in class-action data breach litigation cases and helps clients respond to federal and state regulatory inquiries that result from these incidents. Further, Ms. Thomson regularly collaborates on privacy and data security due diligence and facilitates executive and board training on incident response, privacy legal compliance, and the U.S. cybersecurity and privacy law landscape. She is recognized as a Certified AI Governance Professional (AIGP) by the International Association of Privacy Professionals (IAPP).

Credit Information
  • This 90-minute webinar is eligible in most states for 1.5 CLE credits.


  • Live Online


    On Demand

Date + Time

  • event

    Wednesday, November 19, 2025

  • schedule

    1:00 p.m. ET./10:00 a.m. PT

I. Purpose of a DPA

II. When is DPA required

III. Compliance with regulatory requirements

A. GDPR

B. CCPA

C. Other U.S. states that have laws governing DPAs

D. U.S. Bulk Data Transfer Rule

IV. Penalties for noncompliance

V. Negotiating key terms of a DPA

A. Limitation of liability

B. Use of subprocessors

C. Security measures

D. Responding to data breaches

E. Audit rights

VI. New developments and trends

VII. Practitioner pointers and key takeaways

The panel will review these and other relevant issues:

  • Which data protection laws require DPAs?
  • What are the required terms of a DPA?
  • What are the privacy and security considerations for DPAs?
  • What are the key considerations and what to watch out for when signing a DPA?
  • Do processors have to sign a DPA with their subprocessors?
  • What are the top pain points when negotiating DPAs, and what are some key compromise tips?
  • What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other states' privacy laws?