Part 4: Contracts & Data Sharing

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.


Data Sharing Between Organisations

When sharing data between organisations there should always be an accompanying contract or agreement that clearly defines the roles and responsibilities of each party, so they may be held accountable for their part. Having definitive and legally binding agreements with shared or other controllers isn’t just good practice, it’s absolutely essential for demonstrating accountability.

Data Sharing or Processing Agreements?

The aforementioned contracts help to provide clarity for both parties in terms of what is expected of controllers and processors that manage the information of data subjects.

In a joint controller scenario, a Data Sharing Agreement should be used, whereas a Data Processing Agreement is more suitable in a controller/processor scenario and should detail how the data will be deleted or returned by the processor at the end of the contract. Whatever the situation, it is always appropriate for the organisation to have the correct agreements in place.

These agreements should be signed off by management, reviewed regularly, and should always include:

– the roles of each party involved,

– what is going to happen to the data at each stage,

– and the purpose of sharing the data.

Restricted Transfers

It is also important to have the appropriate safeguards in place when transferring data across borders. Every organisation should have prepared the following before transference and established which of these safeguards apply to them:

1) Standard Contract Clauses

2) Binding Corporate Rules

3) Derogations (exemptions from the rules)

Processor Due Diligence Checks and Compliance Reviews

The procurement process should include mandatory due diligence checks that are proportionate to the risks of processing, prior to the contracts being agreed.

The organisation should occasionally review the processors’ compliance with their contracts.

Therefore, the contract should include provisions for the controller to conduct audits to establish compliance with the contractual terms and conditions. Audits should also be proportionate to the processing risks.

Purpose Limitation

The organisation should ensure that only the personal data necessary to achieve a specific purpose be shared with processors or additional third parties. The information should be minimised and even pseudonymised, wherever possible. It is also worth considering anonymising the data so that it no longer qualifies as personal data, and therefore falls outside of the scope of GDPR.

For any changes to data protection and transferring policies as a result of Brexit, or a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. In February, we’ll be taking a closer look at Records Management & Security. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at, or call us on 01775 660-506. Additionally, you can fill out a digital self-assessment form on the ICO website, here Accountability framework self-assessment | ICO.

CVG Monthly Insight

if you would like to Sign up to our Monthly Insight to keep up to date with the latest on GDPR and up coming events in CVG Solutions please contact us on or call us on 01775 660506

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.