The U.K.'s data protection authority is offering guidance on how to share data while maintaining compliance with data protection regulation.
In a document released earlier this month, "Data sharing code of practice," the ICO, Britain's Information Commissioner's Office, urged organizations, or controllers, to follow its guidance or risk running afoul of the DPA, reiterating the fact that if a controller is found in violation of the General Data Protection Regulation (GDPR) it can issue fines of up to €20 million or 4 percent of an organization's annual worldwide turnover.
The ICO first began soliciting input for the data sharing code of practice last August but it was first published in 2011.
While comprehensive and certainly informative, the guide isn't final; it's a draft statutory code, something the Information Commissioner, Elizabeth Denham, is required to release per section 121 of the Data Protection Act 2018. The ICO is seeking comments on the draft code until September 9.
The ICO says the guide is mostly geared towards controllers that share data subject to the GDPR and the data processing provisions of Part 2 of the Data Protection Act 2018 but that much of it could apply to public, private, and third-sector orgs - any org that shares data, really.
While quite lengthy, 105 pages, the document has several key takeaways:
- A controller should first decide whether it needs to carry out a Data Protection Impact Assessment, DPIA, a process in which the ICO will offer advice around a project that will involve the processing of data. While a legal requirement for data processing projects that are high risk, they're not applicable to every controller. That said, they can still prove useful.
- Consider implementing a data sharing agreement that will set standards around roles, what happens to data, etc.
- Ensure compliance with the GDPR or DPA, as appropriate
- Identify at least one lawful basis for sharing data from the start
- Ensure personal data is shared fairly and transparently, ensure individuals know what is happening with their data, unless an exception applies.
- Consider data sharing as part of due diligence when entering a merger or acquisition
- Transferring databases or lists of individuals, when done by data brokers, marketing agencies, credit reference agencies, clubs and societies, and political parties, is data sharing.
- Sharing children's data should be done with caution. If a project sharing children's personal data could result in a high risk, a DPIA is “compulsory.”
The document goes on to highlight a number of misconceptions about data sharing, namely as a result of the lines blurring between last year's implementation of the GDPR and the DPA, the UK's third generation of data protection law.
The release of the guide comes amid a renewed spotlight on GDPR, following massive fines against both British Airways ($229M) and Marriott ($123M) for 2018 data security incidents.
