Who can you share data with?
While it is not unusual for businesses to share data, if you are sharing personal data you will need to take steps to ensure that such sharing is done lawfully. It is important to remember that the rules on data sharing don’t just apply where data is being shared between unrelated organisations, they will also apply where data is being shared between companies in the same group.
There are three main data sharing arrangements:
- data sharing between a data controller and data processor
- data sharing between a data controller and another data controller
- data sharing between a data processor and a sub-processor
For each type of arrangement the sharing is likely to be either systematic (i.e. an ongoing arrangement) or in response to one-off/ad hoc requests.
The ICO has published a Data Sharing Code of Practice and related checklists. While these documents have not been updated to reflect the provisions of the GDPR, they still provide a handy step by step guide through the process of deciding whether to share personal data.
Prior to sharing any personal data it is important to consider:
- What is the personal data sharing intended to achieve?
- What type of data is being shared?
- What are the potential benefits and risks to the data subjects and/or wider community of sharing or not sharing the data?
- Is the data sharing proportionate to the issue being addressed?
- Could the objective be achieved without sharing personal data?
- What is the legal basis for the data sharing?
Where personal data is being shared between a data controller and a data processor or between a data processor and a sub-processor, the GDPR requires that a data sharing contract be put in place. If personal data is being shared between data controllers is it also strongly advisable to put in place a written contract formalising the data sharing arrangements.
In order for the data sharing to be lawful, the data subject must be aware of the data sharing (unless an exemption applies) and the parties sharing the data must have a clear legal basis for sharing data (for example, consent or legitimate interests, click here for more information).
If data is being shared outside of the European Economic Area (EEA) the international implications of the data sharing will also need to be considered. For more information on this, see our page on international transfers.