In my daughter’s favourite “One Year with Kipper” book, May is the month that blossom is on the ground and ducklings are to be spotted in parks, but for me, since 2018, it will be the month of the GDPR and all things Data Protection. One area of the GDPR that is often overlooked is the requirements on data sharing.
Data sharing is a form of data processing and is widely pervasive – it's not just about selling customer names to marketing list companies. You are data sharing, when you send PAYE and NICs information to HMRC. You are data sharing, when you prepare a direct marketing campaign with your agency and you are data sharing when you sell your business to another party.
There is a distinction between data that is shared with a processor and data that is shared with another controller. Processors must be subject to a data processing agreement that will include mandatory clauses. As the controller, you impose standards of care on your processors that will protect the data on behalf of data subjects. But, sharing data with other controllers is different. The regulations require that an “arrangement” is in place between joint controllers (such as retailers and brands presenting a joint promotion to consumers) but is not express with regard to independent controllers, for example selling customer lists to a third party. Nonetheless, from a risk management point of view, a detailed agreement regarding data sharing between controllers is equally a must. For example, you may have state of the art cyber security, but if your supplier is using unencrypted memory sticks and there is no downside for them to do better, your investment is wasted. You will both be liable to report the breach, deal with the costs, damages and potential fines associated with breach, but the financial liability and reputational damage may not fall equally or fairly.
Other example risks when data sharing are:
- One party using the data beyond the limits of what it was collected for
- Keeping data longer than is necessary
- The data received is inaccurate or out of date and leads to inappropriate or distressing outcomes (a common one, is sending direct mail to deceased persons)
- The data is inaccurately collated between the controllers and leads to incorrect assumptions about the data subject (such as identity theft resulting in erroneous credit scores)
The old Data Protection Act (1998) was very quiet with regard to how data could be shared between parties and in order to fill the gap, the ICO issued the Data Sharing Code in 2011. This code was revised by the ICO in light of the GDPR and the new DPA 2018, with a consultation on the draft wording closing in September 2019. I think, in the ordinary course of events, the new code would be with us by now, but there is no news as yet from the ICO about formal publication of the 2020 version. However, the ICO is legally required to issue a new code and the Courts have given weight to the 2011 version, so it is advised to refer to the draft code when considering data sharing arrangements.
Data sharing agreements should cover the following
- Detail who the parties are to the sharing. Be careful about intra-group relationships. Is the data being shared with a whole Group or just the particular counterparty?
- Detail what data is being shared. Set-out why it is necessary to share this much data (underlining adherence to the data minimisation principle)
- What is the purpose of the sharing? Set out a clear agreement on the purpose. Be honest if there is a commercial element.
- Set out responsibility for preparing a data protection impact assessment and keeping it updated.
- Is the data quality going to be tested? How will this work, in practice? If the data quality is sub-standard, how will this be addressed.
- Set out how risk shall be apportioned? For example, what level of security are both parties expected to apply to the data.
- Include indemnities where parties do not adhere to the terms agreed
- Set out procedures for dealing with complaints.
- Set out procedures for dealing with data subject access requests, including the cost burden for preparation of a response.
- Set out procedures for the parties to deal with data breaches, including how liability for damages will be apportioned.
- What will happen to the data, if the data sharing agreement is terminated or breached?