Data Sharing Agreements: What is the Best Practice?

The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place...’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.

Although Data Sharing Agreements do not have an official definition, in July 2019 the ICO released their draft consultation paper (105 pages) entitled ‘Data Sharing Code of Practice’. This has yet to be moved to final status. The key guidance is that ‘… It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all parties to be clear about their respective roles...’

This is a code and not an instruction. Companies are not obliged to follow it, but it is best practice. If you do not follow this code then, as the code states, ‘… you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable and complies with the GDPR...’

Our advice is to follow the ICO Data Sharing Code of Practice.

About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance in a cost-effective manner with minimal disruption. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at 

A photo of a handshake.

Photo by Cytonn Photography.