The UK Information Commissioner’s Office has issued a data sharing code of conduct for public consultation.
- When considering sharing data, assess your overall compliance with the data protection legislation. Consider conducting a Data Protection Impact Assessment (DPIA) even if not required.
- It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under GDPR.
- Identify at least one lawful basis for sharing data from the start.
- Always share personal data fairly and in a transparent manner. When you share data, you must ensure it is reasonable and proportionate. You must ensure individuals know what is happening to their data unless an exemption or exception applies.
- In a data sharing arrangement, you must have policies and procedures that allow data subjects to exercise their individual rights with ease.
- If an M&A means that you have to transfer data to a different controller, you must take care. Consider data sharing as part of your due diligence.