Data Sharing Agreements: What is the Best Practice?

Two people shaking hands
Photo by Cytonn Photography.

The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place…’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.

Although Data Sharing Agreements do not have an official definition, in July 2019 the ICO released their draft consultation paper (105 pages) entitled ‘Data Sharing Code of Practice’. This has yet to be moved to final status. The key guidance is that ‘… It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all parties to be clear about their respective roles…’

This is a code and not an instruction. Companies are not obliged to follow it, but it is best practice. If you do not follow this code then, as the code states, ‘… you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable and complies with the GDPR…’

Our advice is to follow the ICO Data Sharing Code of Practice.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: