[GDPR Step 15] How to Set Up Data Sharing Agreements
The General Data Protection Regulation (GDPR), introduced by the European Union (EU), took effect on May 25, 2018. It makes both organizations and their vendors accountable for the protection of subjects’ personal data. To ensure this accountability and assign clear responsibilities to all parties involved, relevant data sharing agreements need to be established.
Talend recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive, 16-step plan to operationalize a data governance program that supports GDPR compliance.
Setting up data sharing agreements is Step 15 in this plan. To learn more about the first fourteen steps, check out the links in the sidebar!
GDPR’s Perspective on Data Sharing Agreements
The GDPR is applicable to both the controller (an entity that determines the purposes and means of processing personal data) and the processor (the entity which processes personal data on behalf of a controller) of personal data. The controller is typically the organization that collects personal data and tracks uses for its business purpose. “Processor” is a term used to refer to the vendor, to whom some part of the business is outsourced by the controller. During the outsourcing process, the processor also gains access to personal data.
This partnership leads to questions such as, “If there is a breach to personal data, who is accountable?”
To address this and other relevant questions, the GDPR emphasizes the need to create data sharing agreements.
- Subject matter
- Duration of the processing
- Nature and purpose of the processing
- Type of personal data
- Categories of data subjects
- Obligations and rights of the controller
Article 28.4 states that the same data protection obligations also apply where one processor engages another processor to carry out specific processing activities on behalf of the controller. In case of a breach, the article makes it clear that “where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.”
To confirm these legal obligations, it is mandatory, per the GDPR, for controllers to enter into data sharing agreements with their processors.
4 Key Themes for Data Sharing Agreements
Data governance teams have a significant role to play in setting up data sharing agreements. They must ensure that legal and compliance teams sign off prior to any movement of personal data belonging to an EU citizen from one country to another, from an organization to a vendor, and from a vendor to a downstream processor.
The following are a few broad themes that need to be addressed by the agreements.
1. Adherence to Data Protection Standards
Data sharing agreements must mandate the processor to have the right infrastructure and systems in place to protect the personal data of subjects. This includes maintaining a record of all processing activities, and the facility “forget” all data after the contract is complete—or if the subject chooses to be forgotten.
2. Consent Before Outsourcing
Vendors cannot outsource personal data without the controller’s consent. Agreements need to be re-evaluated and re-drafted to include the downstream processors as well, if such a need arises.
3. Breach Situations
Agreements need to address breach scenarios and clarify roles, responsibilities, and liabilities in such cases. If a processor encounters a breach, they must inform the controller immediately and provide appropriate assistance to tackle the consequences of the breach.
4. Risk Assessment
Controllers need to perform a vendor risk assessment to ensure that the vendor has the means and will to comply with data protection standards. The assessment findings have to be documented before business engagement begins and before any personal data is shared.
Similarly, controllers need to conduct frequent audits to affirm continued confidence in the vendor. These findings also need to be documented, along with the risk assessment reports, to confirm that due diligence was done by a controller to safeguard the privacy of personal data.
Next Steps to Setting Up Data Sharing Agreements
Data sharing agreements are complex legal documents. These agreements, however, can not only prevent messy situations in the case of a data breach, but also help protect personal data, which is the core objective of the GDPR. Talend Metadata Manager can assist in capturing these data sharing agreements semantically as well as tracking and tracing physical data location and movement within a data landscape.
The next step of Talend’s comprehensive 16-step plan is enforcing compliance with GDPR controls.
Ready to get started with Talend?
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- PCI DSS: Definition, 12 Requirements, and Compliance
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards