In today’s digital age, data is a valuable asset that can empower charities, Community Interest Companies (CICs), and small businesses to make informed decisions and better serve their stakeholders. However, it is crucial to manage data responsibly and stay within the legal framework set by the General Data Protection Regulation (GDPR). Here is a user-friendly breakdown of key data sharing rules to keep in mind:
1. Be Transparent and Fair: When sharing data, always prioritise transparency and fairness. Inform individuals about how their data will be used and the purpose behind data sharing. This helps build trust and ensures compliance with GDPR principles.
2. Define Clear Purposes: Share data only for specific and legitimate purposes. If you intend to use data for a new purpose, obtain additional consent or ensure it aligns with the original purpose.
3. Share the Minimum Necessary: Practice data minimisation by sharing only the minimum amount of data required for your intended purpose. Avoid unnecessary or excessive sharing, which could breach GDPR principles.
4. Keep Data Accurate: Before sharing data, ensure it is accurate and up-to-date. Sharing incorrect information can lead to misunderstandings and legal issues.
5. Limit Storage Duration: Shared data should not be kept longer than necessary. Regularly review and delete data that no longer serves its purpose to maintain compliance.
6. Protect Data Integrity and Confidentiality: Implement robust security measures to safeguard shared data from unauthorised access, alteration, or destruction. This is essential to maintain trust and prevent data breaches.
7. Embrace Accountability: As a data sharer, take responsibility for adhering to GDPR principles. Keep records of your data sharing processes and decisions to demonstrate accountability.
8. Choose the Right Legal Basis: Determine a legal basis for data sharing. This could include obtaining explicit consent, fulfilling a contract, complying with legal obligations, protecting vital interests, performing tasks in the public interest, or pursuing legitimate interests.
9. Navigate International Data Transfers: If you share data outside the UK or EEA, ensure appropriate safeguards are in place. This might involve using standard contractual clauses or approved transfer mechanisms to protect the data during the transfer.
10. Draft Data Sharing Agreements: When sharing data with third parties, create written agreements that outline the terms and conditions of the data sharing arrangement. This adds clarity and ensures all parties are aware of their responsibilities.
By following these data sharing guidelines, charities, CICs, and small businesses can harness the power of data while maintaining compliance with GDPR regulations. Prioritize ethical data handling and consider seeking legal advice or consulting GDPR resources for further clarity on your specific situation.
Remember, responsible data sharing is not only a legal requirement but also a means to foster trust and build strong relationships with stakeholders.
Use the following checklist to check your finished policy against to make sure you have not missed anything
Data Sharing Policy Checklist for GDPR Compliance
Purpose of Data Sharing:
Clearly define the purpose(s) for sharing personal data.
Ensure data sharing is necessary and proportionate to the intended purpose.
Legal Basis for Data Sharing:
Identify and document the legal basis for sharing personal data (e.g., consent, contract, legitimate interest, legal obligation, vital interests, public task).
Transparency and Information:
Provide transparent information to data subjects about the data sharing activities.
Clearly explain who will receive the data, why, and how it will be used.
Data Minimisation:
Share only the minimum amount of personal data required to achieve the specified purpose.
Data Accuracy:
Ensure that the shared data is accurate, up-to-date, and relevant to the purpose.
Security Measures:
Implement appropriate security measures to protect the shared data from unauthorised access, alteration, or disclosure.
Data Processor Agreements:
If sharing data with third-party processors, have proper data processing agreements in place, as required by Article 28.
International Data Transfers:
If sharing data outside the EEA, ensure compliance with appropriate safeguards or derogations as per Chapter V of the GDPR.
Data Subject Rights:
Outline how data subjects can exercise their rights (access, rectification, erasure, restriction, objection, data portability) concerning the shared data.
Consent Mechanisms:
If relying on consent, ensure it is freely given, specific, informed, and unambiguous. Provide a clear process for obtaining and withdrawing consent.
Legitimate Interests Assessment:
If relying on legitimate interests, conduct and document a legitimate interests assessment to justify the data sharing.
Data Retention Periods:
Specify the retention periods for the shared data and explain the reasoning behind these periods.
Data Breach Notification:
Include procedures for promptly notifying data subjects and relevant authorities in the event of a data breach.
Accountability Measures:
Designate a Data Protection Officer (if applicable) and outline responsibilities.
Maintain proper records of data sharing activities, legal bases, and assessments.
Internal Training and Awareness:
Provide training to employees involved in data sharing to ensure they understand GDPR requirements and best practices.
Privacy Impact Assessment (PIA):
Conduct a PIA for high-risk data sharing activities and address any identified risks.
Monitoring and Review:
Regularly review and update the data sharing policy to ensure ongoing compliance with GDPR and evolving organizational needs.
Remember that GDPR compliance is an ongoing process, and policies should be adaptable to changing circumstances. It is highly recommended to consult with legal experts to customise this checklist according to your organisation’s unique situation.