Data sharing agreements between organisations with whom you send and receive information plays a major role in your compliance with the GDPR (General Data Protection Regulation) and similar regulations.
Your organisation might refer to it by a different name – such as an information sharing agreement, data sharing contract or data sharing protocol – but the principle is the same and you must follow certain steps.
In this blog, we help you understand why data sharing agreements are essential, and how you can create one that’s tailored to your organisation’s needs.
Why organisations need a data sharing agreement
A data sharing agreement ensures that organisations and their suppliers are clear about their roles, and sets standards of what they can expect from the arrangement and what’s expected of them.
As part of that, it sets out the purpose of the data sharing and covers what happens to the information at each stage.
Furthermore, the agreement will help you to justify your data sharing and provide documented proof that you have considered compliance issues.
That’s not to say that it will make you immune from non-compliance or regulatory action if you fall foul of the law. To avoid compliance gaps, you must ensure that you and those with whom you share personal data meet the terms of your agreement.
However, for organisations in the UK, the ICO (Information Commissioner’s Office) has confirmed that it will take into account any relevant agreements if and when it assesses a complaint about that organisation’s data sharing.
What to include in a data sharing agreement
The purpose of the data sharing initiative
You must explain the objective of the data sharing, why the information must be shared to achieve those objectives, and the benefits of doing so.
Whether other organisations will be involved in the data sharing
You must identify all organisations that will be involved in the data sharing, and provide contact details for the relevant employee at each of those organisations.
Whether the information is shared with another controller
Organisations that act as joint data controllers alongside another organisation must set out their responsibilities in writing.
What data items are being shared
You must document the types of data you will be sharing. The more detailed you are the better, because there will be times when you only need to share certain information about data subjects.
Lawful bases for data sharing
All organisations need to document a lawful basis for processing and sharing personal data. This is something each organisation in the agreement must consider, as the lawful basis for one may differ from the other.
Notably, there are separate rules and responsibilities for different lawful bases, and you need to make sure you’ve addressed these in your contract.
Whether you process any special category data
The GDPR places stronger controls on the processing of special categories of personal data. This refers to information relating to an individual’s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic information.
Data subject rights
Under the GDPR, individuals have certain rights about the way their information is processed and used. Your agreement must contain processes to help you identify when those rights apply and how you can meet them.
Get support creating your contracts
Creating and updating data processing contracts is a complex and time-consuming task that comes with plenty of risks. A mistake or omission could be the difference between GDPR compliance and a hefty fine.
For those seeking expert advice on drafting their contract, GRCI Law is here to help.
With our GDPR Contract and Legal Services package, you’ll receive guidance from a team of experienced data protection officers, lawyers, barristers and information security experts.
They’ll support you through the process of creating a contract, ensuring that it meets your organisation’s specific requirements.
Whether you’re writing a data sharing contract or another piece of documentation – such as privacy notices and policies, HR documentation, commercial contracts or international data transfers – there’s no need to risk doing it alone.
Contact us today to find out how we can help.