A Data Protection Agreement is necessary when an organisation allows any third party to access or process personal data. This includes storage of files in the cloud, the use of work management systems, marketing or bulk-email software, as well as any situation where you allow access to an individual’s personal data by anyone outside of your organisation. If you are sharing personal data, it is your obligation to ensure that there is a DPA in place.