ELI5: What are Data Ownership and Processing Agreements?
If you lend your skateboard to a friend, you still own it and you set the rules — no tricks off the roof! These agreements spell out who owns the data and exactly what another company is allowed to do with it.
Definition
Data ownership and processing agreements are contractual documents that establish who has legal ownership and control over data, and how third parties that process that data are permitted to handle, store, access, and delete it. Under GDPR, this relationship is formalized through Data Processing Agreements (DPAs) between data controllers (who determine the purpose of processing) and data processors (who process data on behalf of the controller). Similar agreements are required under HIPAA (Business Associate Agreements).
Key Details
- Data controller: determines the purpose and means of data processing (typically the organization itself)
- Data processor: processes data on behalf of the controller (typically a vendor or cloud provider)
- DPAs must specify: purpose of processing, data types, retention periods, security obligations, and sub-processor arrangements
- HIPAA Business Associate Agreements (BAAs) are legally required when PHI is shared with vendors
- Exam tip: the data owner (often a business unit leader) is accountable for the data; the data custodian (IT) manages day-to-day protection
Connections
- Parent: third-party-risk — processing agreements govern how vendor relationships handle data securely
- See also: hipaa
- See also: gdpr