The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place…’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.
Although Data Sharing Agreements do not have an official definition, in July 2019 the ICO released their draft consultation paper (105 pages) entitled ‘Data Sharing Code of Practice’. This has yet to be moved to final status. The key guidance is that ‘… It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all parties to be clear about their respective roles…’
This is a code and not an instruction. Companies are not obliged to follow it, but it is best practice. If you do not follow this code then, as the code states, ‘… you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable and complies with the GDPR…’
Our advice is to follow the ICO Data Sharing Code of Practice.