Hello, my name is Bradley Bailyn,, and this is Think Like a Lawyer. I’m an attorney who focuses on helping founders, mostly tech companies, to survive in the crazy world that we’re living in today. I would like to talk about data processing agreements. You’ve probably never heard of a data processing agreement and you’ll probably never think about it until your business is wiped off the face of the earth because you failed to have a data processing agreement.
 
To understand why this is important, let’s talk for a minute about how a law is made. Basically, somebody donates money or gets in a position to be able to bring a lot of votes to their local city councilman, congressman, senator, state senator at whatever level they want to get legislation passed and their lobbyist says, “You know, it would be really helpful to consumers or to the general public if there was a law that prevented or required A, B or C.”
 
And what does the elected officials say? What happens when you ask for a reference from someone? Typically they say “You write it and I’ll sign it if it looks reasonable.” And it’s the same thing with legislation. “You write the bill and I’ll introduce it if it looks reasonable.” That’s pretty much how it works. So now all over the world, there has been a strong push for stronger regulation of consumer data and various authorities are coming out and regulating consumer data all over the world.
 
You’ve got the European Union with the GDPR which is a massive regulation. And if you do any business with people who are from Europe or you have any kind of a presence in Europe, so help you God, if you don’t know what the GDPR is or how it works. Now in California, you have the CCPA (California Consumer Protection Act), and that is intended to more or less be a copy of the GDPR. And we have the New York SHIELD Act and maybe six to eight states right now that are thinking about passing consumer privacy regulations.
 
How do you deal with regulations that affect your business popping up all over the world? Typically, you try to find whoever is the most stringent and comply with their regulations. And then that puts you mostly in compliance with everyone else’s regulations. That’s how we deal with this in the context of employment law, where so many different cities all have their own rules that apply to employers who have a remote employee in that city.
 
So what exactly is a data processing agreement? Let’s start here. Basically, if you come into contact with people’s personal information… in any way that you could come into contact with it… by directly collecting it, by selling it, by reselling it, by processing it, by adding value to it, whatever the case may be. If you’re coming into contact with people’s confidential data, then you are one of two things. You are a data controller or you are a data processor. And there are different rules that apply to data controllers and data processors.
 
The data controller is the brains of the operation. The data controller is usually the owner of the data and is the person who determines or I should say the company that determines how that data is going to be used for what and when. The data processor is the company that’s doing whatever it is that the data controller wants done with the data. And there’s a very high potential for lawsuits against the controller and the processor. But there’s different risks depending on what your contract says between the two of you and what it is that you’re doing.
 
So if you are going to think like an entrepreneur, then what do you do? You just forget about it and hope that it doesn’t happen. And then if it does, you panic and you call your lawyer. If you’re going to think like a lawyer, which is the name of this podcast, then you say, how can I transfer as much risk as humanly possible to other people in the value chain who are not as sophisticated as I am? And how do I get people who have legal rights against me to simply waive those rights to begin with so I don’t even have to worry about transferring the risk, I’m simply mitigating the risk.
 
And then for the risks that I do have to face, which hopefully is 10 percent of what I could be forced to face, what am I going to do about those? Am I going to get an insurance policy for that or am I just going to be really, really careful and put policies in place to prevent problems? Now, you shouldn’t also think that this is this is a brand new issue. This is a situation that’s been going on for a long time with HIPPA.
 
A lot of you out there, especially people in healthtech, probably know what HIPPA is. It’s a federal law that regulates consumer health care information. And anyone who’s doing medical billing or otherwise working with health care data really should have in place a data processing agreement.
 
The last thing I want you to be aware of in this video, and I can make many more videos about this, but the thing you need to think about is due diligence. The same way that a board of directors cannot escape liability for doing things that are wrong simply because they did not know about it. They have a duty of due diligence. It’s the same thing with a data controller or a data processor or a data subprocessor or anyone in the data value chain.
 
You cannot just rely on having a strong contract and go to sleep. This is not a legal term, but this is what they call informally wink, wink, nod, nod, where you have an agreement that says one thing, but you’re doing something else and everybody knows that you’re doing something else and you feign not to know about it when in reality it’s completely obvious and you should have known about it. And if you didn’t know about it, then you’re just completely negligent and you will be deemed to have known about it.
 
So you need to be engaging in due diligence with everyone in the value chain, which means you need to be talking to the people who are processing and controlling data, looking at the paperwork that they generate, making sure that you specify in your data processing agreement who is accountable, how are they accountable, what is the audit trail going to be to make sure that the law is being complied with, etc.?
 
This is complicated. And you’re going to need to speak with an attorney about this. I do a lot of this and there are other attorneys who also do this kind of work. You’ve got to have someone who really knows something about this kind of thing because it’s an emerging field of law. It’s technical and it’s complicated. But with that being said, it doesn’t have to be so bad as long as you open your eyes and you face it before you commit a serious violation or get hacked and it turns out that you weren’t in compliance and you have all kinds of liability.
 
All right. So if you have any questions, my phone number is 646-326-9971. You can feel free to call that number or text me. And people do do this all the time. Or you can email me at brad@bailynlaw.com.
 
As my standard disclaimer, don’t rely on anything that I say in a video to make extremely important decisions that affect your business or your personal livelihood. Information changes. Facts are specific to your situation and what I say may be correct in one person’s situation, completely incorrect in your situation. All right. So be careful. To be forewarned is to be forearmed. Have a good day and a profitable new year.