What Is a Data Processing Agreement and Does Your Business Need One?
Learn what a Data Processing Agreement (DPA) is, who needs one, and how to get one in place. Essential reading for GDPR and POPIA compliance.
Your CRM processes your clients' data. Does it have a DPA?
Think about the tools your business uses daily: your CRM, email marketing platform, accounting software, cloud storage, payment processor. Each handles personal data belonging to your clients. Under GDPR and POPIA, this creates a specific legal obligation most small businesses overlook — you must have a Data Processing Agreement in place with each of these providers.
Controller vs Processor
A data controller decides why and how personal data is processed — your business, deciding to collect and store client email addresses. A data processor processes personal data on the controller's behalf — your CRM provider, storing and managing what you put into it. When you engage a data processor, both GDPR (Article 28) and POPIA (Section 21) require a written agreement governing how the processor handles the data.
What must a DPA contain?
A DPA must specify the subject matter and duration of processing, the nature and purpose, the type of personal data and categories of individuals, and the obligations and rights of the controller. The processor must commit to: only processing data on documented instructions; ensuring confidentiality; implementing appropriate security; assisting with data subject rights requests; deleting or returning data at contract end; and allowing audits.
Which suppliers need a DPA?
Any third-party service that handles personal data on your behalf: CRM and contact management software; email marketing platforms; accounting and invoicing software; cloud storage providers; payment processors; HR and payroll software; website hosting; helpdesk tools; video conferencing tools if recordings are stored.
How to get a DPA in place
For most major providers, you don't need to negotiate bespoke terms. Go to the privacy or legal section of your provider's website and search for "Data Processing Agreement" or "DPA". Most major providers (Google, Microsoft, Salesforce, HubSpot, Xero) have DPAs readily available to accept or sign. Log each one in a simple spreadsheet as part of your Records of Processing Activities.
If a provider won't provide a DPA
A legitimate provider that handles personal data and refuses to provide a DPA is a red flag. Using such a provider without appropriate contractual protections exposes you to regulatory risk. Consider switching to a provider that takes compliance seriously.
If you are a processor yourself
If your business processes client data on behalf of your clients — an IT company managing client systems, a payroll bureau — your clients should be asking you to sign their DPA. Raising it proactively demonstrates professionalism and reduces your liability.