Interested in training for your team? Click here to learn more

Data Processing Agreements: Understanding the Pain Points, Negotiating Key Terms, Ensuring Regulatory Compliance

Breaking Down What a DPA Is, How it Works, and Why All Businesses Need Them

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, August 22, 2023

Recorded event now available

or call 1-800-926-7926

This CLE webinar will guide corporate and technology counsel in negotiating data processing agreements (DPAs). DPAs are an essential but often overlooked part of data security for businesses. The panel will break down the pain points when negotiating DPAs and will provide compromise tips to help ensure a path to execution.


It's hard to imagine a business today that doesn't need a DPA--or rather several--of such contracts to cover data processing activities outsourced to web hosting, cloud storage, customer relationship management, and a roster of other service providers. Generally, under the EU's GDPR, California's Consumer Privacy Protection Act, and other state laws, if you're processing the personal data of individuals, you must have a DPA. Failure to comply with these requirements can result in significant penalties.

DPAs are a contract between the company that needs personal data to be processed (the data controller) and the company that processes data on behalf of other companies (the data processor). A DPA establishes the roles and responsibilities of both the data processor and the data controller, and it sets out the terms under which data will be processed. The problem is that DPA templates, whether provided by a data controller or a data processor, rarely stick to the bare bones of what the relevant laws require. Thus, negotiating various non-essential terms can greatly prolong the path to execution.

Listen as our authoritative panel breaks down best practices for drafting effective and compliant DPAs, and how to work through the pain points of negotiating the non-essential terms. The panel will also provide tips for compromising on various terms from the perspective of both the data processor and the data controller.



  1. Purpose of a DPA
  2. When is a DPA required
  3. Compliance with regulatory requirements
    1. GDPR
    2. CCPA
    3. Other U.S. states that have laws governing DPAs
  4. Penalties for noncompliance
  5. Negotiating key terms of a DPA
    1. Limitation of liability
    2. Use of subprocessors
    3. Security measures
    4. Responding to data breaches
    5. Audit rights


The panel will review these and other relevant issues:

  • Which data protection laws require DPAs?
  • What are the required terms of a DPA?
  • What are the privacy and security considerations for DPAs?
  • What are the key considerations and what to watch out for when signing a DPA?
  • Do processors have to sign a DPA with their sub-processors?
  • What are the top pain points when negotiating DPAs, and what are some key compromise tips?
  • What are the penalties for noncompliance with the DPA requirements of the GDPR, CCPA, and other state privacy laws?


Kahana, Eran
Eran Kahana

Maslon LLP and Stanford Law School

Mr. Kahana is an experienced technology and IP lawyer, and also a Research Fellow at Stanford Law School. He counsel...  |  Read More

Whitener, Michael
Michael L. Whitener

VLP Law Group

Mr. Whitener’s practice focuses on technology transactions and corporate compliance. In the area of technology...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video