Data Sharing Agreements: What is the Best Practice?

Two people shaking hands
Photo by Cytonn Photography.

The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place…’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.

Although Data Sharing Agreements do not have an official definition, in July 2019 the ICO released their draft consultation paper (105 pages) entitled ‘Data Sharing Code of Practice’. This has yet to be moved to final status. The key guidance is that ‘… It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all parties to be clear about their respective roles…’

This is a code and not an instruction. Companies are not obliged to follow it, but it is best practice. If you do not follow this code then, as the code states, ‘… you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable and complies with the GDPR…’

Our advice is to follow the ICO Data Sharing Code of Practice.

https://ico.org.uk/media/2615361/data-sharing-code-for-public-consultation.pdf

About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. Tacita helps clients obtain and maintain GDPR compliance in a cost effective and time effective manner. Get in contact if you want to explore our range of GDPR services.

Share this article:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

More articles