When sharing personal data with another controller, there are a number of things you need to think about from a data protection compliance point of view. Below, we have set out some top tips to help you on your way to compliant sharing.
- Consider whether any internal policies will apply to the sharing. These may be specific data sharing policies, or more general policies, such as those that relate to third-party management.
- Plan the sharing. In this stage, you will need to map out factual matters like why the sharing is necessary, what data you need to share, whether the sharing will be one off or continuing, what parties are involved, whose data is being shared (are there vulnerable individuals involved?), where (geographically) the data will be sent and used. This is also a good time to develop clear objectives for the data sharing and to ensure you understand how the sharing will achieve these. Make sure you document your thinking!
- Weigh the benefits and risks of sharing/not sharing the data by means of a DPIA (the ICO recommends this even if there is no legal requirement), keeping the data protection principles in mind, in particular fairness and transparency.
- Ensure there is a lawful basis for the sharing, remembering that if you are sharing special category data, you will need to ensure you have grounds under Articles 6 and 9 of the GDPR.
- Consider what your relationship is with the other party – are you separate or joint controllers?
- Consider how to divide up roles such as the provision of privacy information, handling of data breaches and individuals’ rights requests. It is important that the sharing does not endanger compliance with the parties’ obligations in these regards. Where multiple parties are involved, there is a danger of compliance failures if responsibilities are not clearly defined.
- Consider retention and deletion of the data. How long does data need to be kept and how will it be deleted/returned at the end of this period?
- Draw up an agreement. This acts as a record of the sharing and will set out the obligations of each party with respect to it. This will also assist you in complying with your accountability obligations.
- Share securely – ensure the method of sharing is appropriately secure.
- As relevant, consider creating a data sharing policy and procedures to ensure a uniform approach to data sharing is adopted or review existing procedures to ensure they are fit for purpose.
- Review the arrangements. Data sharing should be reviewed regularly to ensure it is still necessary to meet the agreed objectives and that the arrangements in place are working efficiently.
The ICO has a data sharing code of practice, which is essential reading for those embarking on a data sharing project. You can find this here.