<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Find courses

    8 Steps for GDPR Compliance When Sharing Data

    Published on 13 Feb 2020 by Lynne Callister

    Before you transfer personal data to other organisations, especially outside the EEA, you need to stop and think about the GDPR implications.

    The sharing of personal data by businesses and organisations within Europe is subject to the General Data Protection Regulation (GDPR). Data sharing isn't wrong. There are legitimate reasons for companies to share personal information.

    For example:

    • Retailers may share someone's address with a courier to get their order delivered
    • Travel firms may pass on your personal information to a hotel in preparation for a stay
    • Healthcare providers need to share a patient's medical history with a consultant in readiness for an operation
    • A finance company may share personal data with a credit rating agency to establish creditworthiness

    Crucially, before you share personal information, make sure there's a legitimate reason for doing so, the protections are adequate, and there are appropriate safeguards are in place.

    A lot has changed since the introduction of the GDPR, not least the UK referendum. That's why it's worth taking a fresh look at how to stay compliant when sharing data under the GDPR.

    What steps should you take to ensure GDPR compliance?

    1. Consider legitimacy - Why are you sharing data in the first place? What is your lawful basis for this? What are you hoping to achieve? Is it justified? Is the data sharing proportionate? What and how much data will be shared? With whom?
    2. Weigh up the benefits versus the risks - What are the benefits and risks in sharing or not sharing the information? Remember, if there is a high risk to the rights and freedoms of data subjects, conduct a data protection or Privacy Impact Assessment.
    3. Ascertain whether you have the right to share information - For example, what type of organisation do you work for, what relevant powers or functions does it have, what is the nature of the information you're planning to share (e.g. is it confidential, especially sensitive, etc.), and is there a legal obligation (such as a legal requirement, a court order, a safeguarding duty, etc.).
    4. Think about where the data transfer is between – Is it to a country outside the EEA? If so, is the transfer covered by an adequacy decision which safeguards individuals' rights and freedoms?
    5. If there is no adequacy decision, consider whether other safeguards govern the transfer - For example, binding corporate rules (BCRs), standard contractual clauses (SCCs) approved by the Commission etc.
    6. No adequacy decision and no appropriate safeguards? Check whether an exception covers the transfer - Among other things, for example, whether you have the individual's explicit consent, you have a contract with the individual, the transfer is necessary for reasons of public interest, a legal claim or to protect vital interests.
    7. Develop sharing protocols and agreements - are there any sharing protocols or agreements currently in place with the third party? How frequently is information shared with them? What information will you give to data subjects about this? At what point and how will this be communicated? What specific measures are in place to maintain security (e.g. encryption)?
    8. Keep data up-to-date and accurate - how will you ensure that the data you have shared remains up-to-date and accurate? Who is responsible for doing this (the company doing the sharing or the recipient company)? What arrangements are in place if data subjects want to access it? How long should each party retain data, and what processes are required to ensure it is deleted by all parties when it is no longer needed?

    Free GDPR Self Assessment Questionnaire

    How will Brexit affect GDPR?

    It’s worth getting to grips with these rules now, as many of them will continue to apply once the UK leaves the EU. According to the ICO, the UK rules will mirror the existing GDPR rules.

    There will be transitional arrangements in place, so transfers from the UK to the EEA will not be restricted. Data transfers outside the EEA must continue to meet GDPR rules. The UK government has indicated an intention to recognise existing EU adequacy decisions, BCRs and SCCs. PECR rules on marketing and electronic communications will also continue to apply.

    Further information is available on the ICO website.

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    8 Tips for GDPR Compliance When Sharing Data

    Before you transfer personal data to other organisations, especially outside the EEA, you need to stop and think about the GDPR implications. The sharing of personal data by businesses and ...

    Read More
    Key UK Competition Law Fines

    Many businesses try to profit from gaining an unfair competitive advantage. Here are eight costly examples of what happens when you breach UK competition law.  The consequences of breaking UK ...

    Read More
    The 12 Most Notorious UK Discrimination Cases

    Discrimination takes many forms, from gender or age to well-intentioned or just downright malicious. Here we examine some of the most serious and high profile cases in the UK. However, no matter what ...

    Read More
    Biggest GDPR Fines of 2020

    Breaching the GDPR can cost you up to €20 m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them! Since ...

    Read More