By Mikkel Hald, 18/05/18
To ensure its GDPR compliance, WAYF is currently working to edit its templates for the data processor agreements that identity and service providers must sign when joining the federation.
Up until now, each organisation's WAYF participation has been governed through a single document describing both the business terms and the data protection aspects. In future, WAYF expects to govern the data protection aspects of federation participation in a special document — a data processor agreement — as an appendix to the actual business contract document. WAYF's new data processor agreement is based on the Danish Data Protection Agency's template for GDPR-era data processor agreements.
Each organisation joining WAYF in the future thus will have to adopt two separate documents: both a business agreement, defining pricing and other terms for federation participation — and a separate data processor agreement, defining how WAYF fulfills its role as a data processor for the organisation.
WAYF expects, in the time to come, to require organisations already participating in the federation to adopt the updated agreement documents once their drafting has been completed.
In future, WAYF hopes to be able to handle the agreement apparatus purely digitally, using digital signatures.