My law is stronger than your law.
My law is stronger than your law.
Did you know that the European General Data Protection Regulation (GDPR) is not the only law which safeguards the use of personal data?
For organisations trying to comply with the GDPR, this area has raised many questions regarding conflicts with other laws and regulations, for example, the requirement to share personal data because they are legally obliged to by another law.
The GDPR should not be used as a tool to fuel the myth that “data protection says no!”.
You must consider your requirements under all laws, not just the GDPR. For example, if you have to disclose personal data to a regulator, such as the UK Financial Conduct Authority or the US Federal Trade Commission you should still consider the requirements of the GDPR.
Here are some practical tips for how to assess and approach situations where you may have a battle of the laws:
Make sure you actually have to comply with the other law
In some cases, just because a company is subject to certain laws in another country, this does not mean any of its sister companies will be. Make sure you have to comply with the other law. We know it can be scary when a regulator or any third party asks for personal data, especially if you are a small organisation, but you still have obligations to make sure that the data sharing is valid, especially if the personal data is going outside of the EEA.
Do not be afraid to challenge why this is necessary! Write down what your obligations are under both laws and then access the extent to which you have to comply.
Find your legal basis (condition) for sharing the personal data
Make sure you have a legal basis (condition) for sharing the personal data under the GDPR. If you do not then any sharing will be unlawful. The UK data protection regulator, the UK Information Commissioner’s Office has great guidance on this point and some new draft guidance which is being consulted on which will help with this assessment.
You will also need to make sure the data sharing is transparent (unless of course, this is not appropriate, for example, if the request relates to criminal activity and you may tip the alleged perpetrator off).
Does the request ask for too much or irrelevant personal data?
You must always ensure that you only share the minimum amount of personal data. If you think the request is too wide, you can only provide personal data that you think is necessary. Yes, even reputable third parties do ask for more information than is necessary for their purposes!
Minimising the personal data shared not only complies with the law but also reduces the impact of any data breaches.
Send your data securely
Just because you have been asked to share personal data and after a careful assessment you decide to share the personal data, don’t forget to still make sure you share this securely. This applies even if the request is going to the police or lawyers.
Write your assessment down
Write down how you have made your assessment and the parts of both laws that you considered. This will help you demonstrate compliance with the accountability principle.
Go through the GDPR principles and make sure you have considered each principle, for example, have you made sure the personal data is accurate before sharing this?
A simple word document will be fine – you do not need lots of fancy templates (although as a team of perfectionists we love a good data protection template!).
After you have assessed the data sharing if you are still not sure if you should share the personal data, seek some advice before sharing. It is better to withhold personal data and then share this when you know you are complying.
We have a great data sharing module as part of our new eLearning training which will help you understand your requirements for data sharing under the GDPR. For more information about our eLearning or to get in touch email us at firstname.lastname@example.org.