Does your business need a data sharing or processing agreement?

A data sharing agreement is a crucial legal document that outlines the terms and conditions for sharing personal data between two or more organisations. While the UK GDPR doesn't explicitly mandate a written agreement between data controllers, it's highly recommended, especially when sharing significant amounts of sensitive data.

Joint Controllers vs. Independent Controllers

When sharing personal data, you can either be a joint controller or an independent controller.

• Joint Controllers - both parties share responsibility for the data and its processing. A written agreement is recommended to clarify roles, responsibilities, and accountability.

• Independent Controllers - each party processes the data independently for their own purposes. While a written agreement isn't strictly required, it's highly advisable to ensure clarity, accountability, and compliance with data protection laws.

Key Clauses to Consider in a Data Sharing Agreement

A well-drafted data sharing agreement should include the following key clauses:

• Purpose and Scope - clearly define the purpose of the data sharing and the specific types of data involved.

• Data Subject Rights - outline how data subject rights (e.g., access, rectification, erasure) will be exercised and fulfilled.

• Security Measures - specify the security measures to be implemented to protect the shared data.

• Data Retention and Deletion - set out guidelines for data retention periods and deletion procedures.

• Liability and Indemnification - allocate liability for data breaches and other issues.

• Dispute Resolution - establish a mechanism for resolving disputes.

• International Data Transfers - address any cross-border data transfers and ensure compliance with relevant regulations.

• Joint Controller Responsibilities - if applicable, outline the specific responsibilities of each joint controller.

• Roles and Responsibilities - clearly define the roles and responsibilities of each party.

• Risk Assessment - assess the potential risks associated with the data sharing and implement appropriate safeguards.

• Data Security - ensure that robust security measures are in place to protect the shared data.

By carefully considering these factors and seeking legal advice, you can ensure that your data sharing agreements are legally sound and protect your organisation's interests.