Data Sharing Agreements and GDPR: What You Need To Know

Data sharing agreements between organisations with whom you send and receive information plays a major role in your compliance with the GDPR (General Data Protection Regulation) and similar regulations.

Your organisation might refer to it by a different name – such as an information sharing agreement, data sharing contract or data sharing protocol – but the principle is the same, and you must follow specific steps.

In this blog, we help you understand why data sharing agreements are essential and how you can create one that’s tailored to your organisation’s needs.

Why do organisations need a data sharing agreement?

A data sharing agreement ensures that organisations and their suppliers are clear about their roles and sets standards of what they can expect from the arrangement and what’s expected of them.

As part of that, it sets out the purpose of the data sharing and covers what happens to the information at each stage.

Furthermore, the agreement will help you justify your data sharing and provide documented proof that you have considered compliance issues.

That’s not to say that it will make you immune from non-compliance or regulatory action if you fall foul of the law.

To avoid compliance gaps, you must ensure that you and those with whom you share personal data meet the terms of your agreement.

However, the ICO (Information Commissioner’s Office) has confirmed that it will consider any relevant agreements for organisations in the UK if and when it assesses a complaint about that organisation’s data sharing.

What should a data sharing agreement contain?

The purpose of the data sharing initiative

You must explain the objective of the data sharing, why the information must be shared to achieve those objectives and the benefits of doing so.

Whether other organisations will be involved in the data sharing

You must identify all organisations involved in the data sharing and provide contact details for the relevant employee at each of those organisations.

Whether the information is shared with another controller

Organisations that act as joint data controllers alongside another organisation must set out their responsibilities in writing.

What data items are being shared

You must document the types of data you will be sharing. The more detailed you are, the better, because there will be times when you only need to share certain information about data subjects.

Lawful bases for data sharing

All organisations need to document a lawful basis for processing and sharing personal data.

Each organisation in the agreement must consider this, as the lawful basis for one may differ from the other.

Notably, there are separate rules and responsibilities for different lawful bases, and you need to make sure you’ve addressed these in your contract.

Whether you process any special category data

The GDPR places more robust controls on processing special categories of personal data.

This refers to information relating to an individual’s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic information.

Data subject rights

Under the GDPR, individuals have certain rights about how their information is processed and used.

Your agreement must contain processes to help you identify when those rights apply and how you can meet them.

Get support creating your contracts

Creating and updating data processing contracts is a complex and time-consuming task with plenty of risks.

A mistake or omission could be the difference between GDPR compliance and a hefty fine.

For those seeking expert advice on drafting their contract, GRCI Law is here to help.

With our GDPR Contract and Legal Services package, you’ll receive guidance from a team of experienced data protection officers, lawyers, barristers and information security experts.

They’ll support you through the process of creating a contract, ensuring that it meets your organisation’s specific requirements.

There’s no need to risk doing it alone, whether you’re writing a data sharing contract or another piece of documentation – such as privacy notices and policies, HR documentation, commercial contracts or international data transfers.

Contact us today to find out how we can help.