8 GDPR Data Sharing Compliance Tips

Posted by

Lynne Callister

on 10 Aug 2023


Before sharing personal data with other organisations, especially outside the EEA, you need to stop and think about the GDPR implications.

8 Compliance Tips for GDPR Data Sharing

The sharing of personal data by organisations within Europe is subject to the General Data Protection Regulation (GDPR). Data sharing isn't wrong. There are legitimate reasons for companies to share personal information.

What are legitimate reasons for data sharing under GDPR?

  • Retailers may share customer addresses with a courier for delivery.
  • Travel firms may pass personal information to a hotel relating to a booking.
  • Healthcare providers need to share a patient's medical history with a consultant in readiness for an operation.
  • A finance company may share personal data with a credit rating agency to establish creditworthiness.

Crucially, before you share personal information, make sure there's a legitimate reason for doing so, the protections are adequate, and appropriate safeguards are in place.

A lot has changed since the introduction of the GDPR, not least the UK Brexit referendum. That's why it's worth taking a fresh look at how to stay compliant when sharing data under the GDPR.

Free GDPR Training Presentation

GDPR data sharing compliance tips

1. Consider legitimacy

Why are you sharing data in the first place? What is your lawful basis for this? What are you hoping to achieve? Is it justified? Is the data sharing proportionate? What and how much data will be shared? With whom?

2. Weigh up benefits vs risks

What are the benefits and risks of sharing or not sharing the information? Remember, if there is a high risk to the rights and freedoms of data subjects, conduct a Data Protection or Privacy Impact Assessment (PIA).

3. Ascertain if you have the right to share information

Think about what type of organisation you work for, what relevant powers or functions does it have, what is the nature of the information you're planning to share (e.g. is it confidential, especially sensitive, etc.), and is there a legal obligation (such as a legal requirement, a court order, a safeguarding duty, etc.)?

4. Consider where the data transfer is between

Is it to a country outside the European Economic Area (EEA)? If so, is the transfer covered by an adequacy decision that safeguards individuals' rights and freedoms?

Free GDPR Self-assessment Questionnaire

5. What to do if there is no 'adequacy' decision

Consider whether other safeguards govern the transfer. For example, binding corporate rules (BCRs), standard contractual clauses (SCCs) approved by the Commission etc.

6. Check if an exception covers the data transfer

What can you do if you have no 'adequacy' decision and no appropriate safeguards? Well, whether or not you have the individual's explicit consent, there are some exceptions you can rely on.

Examples of exceptions include:

  • If you have a contract with the individual;
  • If the transfer is necessary for reasons of public interest;
  • If the transfer is necessary for a legal claim or;
  • If the transfer is necessary to protect vital interests.

7. Develop data-sharing protocols & agreements

Are there any sharing protocols or agreements currently in place with the third party? How frequently is information shared with them? What information will you give to data subjects about this? At what point and how will this be communicated? What specific measures are in place to maintain security (e.g. encryption)?

8. Keep data up-to-date & accurate

How will you ensure that the data you have shared remains up-to-date and accurate? Who is responsible for doing this (the company doing the sharing or the recipient company)? What arrangements are in place if data subjects want to access it? How long should each party retain data, and what processes are required to ensure it is deleted by all parties when it is no longer needed?

GDPR Personal Data Desk Aid

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning

Download your free training aid