Do you share personal data? The rules have changed. Here’s how and what you should do.
Given the broad definition of personal data under UK law – in essence, any information from which someone can be identified – it is likely that your organisation shares personal data with other organisations on a regular and systematic basis as part of standard business operations.
As a reminder, data protection law distinguishes between two types of organisation:
— “controllers” – organisations which decide why and how they will use personal data; and
— “processors” – organisations which only use personal data as instructed by controllers, and which would have no other interest in that personal data apart from those instructions.
It is likely that your organisation acts as a controller.
What has changed?
Previously, it was only obligatory to enter into a written contract when controllers shared personal data with processors. Using powers given to it under the Data Protection Act 2018 (“DPA”), the ICO (the UK data protection regulator) has brought into force a new Data Sharing Code of Practice which effectively obliges controllers to now also enter into a written contract when sharing personal data with other controllers.
Why does this matter?
In brief, this is important because most of your personal data sharing operations are likely to be conducted between organisations classified as controllers under UK data protection law.
Is this a strict legal obligation?
The new Code of Practice might be described as “Vicky Pollard law”, in that the answer is “yeh but no but yeh but no”. It is not strictly obligatory under the UK GDPR (which has replaced the GDPR following the end of the Brexit transition period) or the DPA to have a written contract in place between controllers, and the ICO describes their use as “good practice” in the Code of Practice.
But at the same time:
— the Code of Practice sets out, as an obligation, a series of points you must consider before sharing personal data with other organisations;
— the principle of accountability under the UK GDPR requires that you are responsible for your own compliance and that you must be able to demonstrate that compliance on regulatory demand;
— the UK GDPR also obliges you to be able to show that you have instituted data protection compliance by design and default at organisational level;
— the ICO uses the standards of its codes of practice when conducting regulatory investigations; and
— the Code of Practice states that organisations may find it more difficult to demonstrate compliance with its requirements without having written contracts in place.
We, therefore, recommend thinking of the Code of Practice as “backdoor” law. In other words, although UK data protection law does not technically mandate the use of data-sharing agreements, it is obvious that the ICO’s expectation is that parties involved in data sharing arrangements will have some contractual documentation in place as a way of evidencing their respective responsibilities.
What should we do?
The quickest, easiest and most cost-effective solution is to:
— have a template data sharing agreement in place which satisfies the requirements of the Code of Practice; and
— ensure that stakeholders understand when it needs to be used.
We have designed a template agreement and short-form guidance which will help you achieve these objectives, and thereby avoid regulatory risk, quickly and cheaply. Please get in touch with our Head of Data Privacy, Lucas Atkin, if you would like to know more.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. For advice, get in touch with your usual Greenwoods GRM contact or scroll down to complete our enquiry form.