[GDPR Step 15] How to Set Up Data Sharing Agreements

The General Data Protection Regulation (GDPR), introduced by the European Union (EU), took effect on May 25, 2018. It makes both organizations and their vendors accountable for the protection of subjects’ personal data. To ensure this accountability and assign clear responsibilities to all parties involved, relevant data sharing agreements need to be established.

Talend recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive, 16-step plan to operationalize a data governance program that supports GDPR compliance.

Setting up data sharing agreements is Step 15 in this plan. To learn more about the first fourteen steps, check out the links in the sidebar!

GDPR’s Perspective on Data Sharing Agreements

The GDPR is applicable to both the controller (an entity that determines the purposes and means of processing personal data) and the processor (the entity which processes personal data on behalf of a controller) of personal data. The controller is typically the organization that collects personal data and tracks uses for its business purpose. “Processor” is a term used to refer to the vendor, to whom some part of the business is outsourced by the controller. During the outsourcing process, the processor also gains access to personal data.

This partnership leads to questions such as, “If there is a breach to personal data, who is accountable?”

To address this and other relevant questions, the GDPR emphasizes the need to create data sharing agreements.

Article 28.3 of the GDPR requires that all processing activities done by a processor be governed under a contract by the controller. The contract should agree on the terms of use of personal data, such as the:

• Subject matter
• Duration of the processing
• Nature and purpose of the processing
• Type of personal data
• Categories of data subjects
• Obligations and rights of the controller

Article 28.4 states that the same data protection obligations also apply where one processor engages another processor to carry out specific processing activities on behalf of the controller. In case of a breach, the article makes it clear that “where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.”

To confirm these legal obligations, it is mandatory, per the GDPR, for controllers to enter into data sharing agreements with their processors.

4 Key Themes for Data Sharing Agreements

Data governance teams have a significant role to play in setting up data sharing agreements. They must ensure that legal and compliance teams sign off prior to any movement of personal data belonging to an EU citizen from one country to another, from an organization to a vendor, and from a vendor to a downstream processor.

The following are a few broad themes that need to be addressed by the agreements.

1. Adherence to Data Protection Standards

Data sharing agreements must mandate the processor to have the right infrastructure and systems in place to protect the personal data of subjects. This includes maintaining a record of all processing activities, and the facility “forget” all data after the contract is complete—or if the subject chooses to be forgotten.

2. Consent Before Outsourcing

Vendors cannot outsource personal data without the controller’s consent. Agreements need to be re-evaluated and re-drafted to include the downstream processors as well, if such a need arises.

3. Breach Situations

Agreements need to address breach scenarios and clarify roles, responsibilities, and liabilities in such cases. If a processor encounters a breach, they must inform the controller immediately and provide appropriate assistance to tackle the consequences of the breach.

4. Risk Assessment

Controllers need to perform a vendor risk assessment to ensure that the vendor has the means and will to comply with data protection standards. The assessment findings have to be documented before business engagement begins and before any personal data is shared.

Similarly, controllers need to conduct frequent audits to affirm continued confidence in the vendor. These findings also need to be documented, along with the risk assessment reports, to confirm that due diligence was done by a controller to safeguard the privacy of personal data.

Next Steps to Setting Up Data Sharing Agreements

Data sharing agreements are complex legal documents. These agreements, however, can not only prevent messy situations in the case of a data breach, but also help protect personal data, which is the core objective of the GDPR. Talend Metadata Manager can assist in capturing these data sharing agreements semantically as well as tracking and tracing physical data location and movement within a data landscape.

The next step of Talend’s comprehensive 16-step plan is enforcing compliance with GDPR controls.

← Step 14  |  Step 16 →