ICO’s New Data Sharing Code – are you compliant?

Monday 23rd September, 2019

The Information Commissioner’s Office (the “ICO”) has issued a new draft data sharing code of practice (the “Code”).  The Code is important for all businesses which share personal data with third parties.

What is the Code?

The Code aims to give businesses practical advice and guidance on how to share personal data fairly and lawfully.

It is taken into account by the ICO and the courts when assessing compliance with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (the “DPA”).  If a business fails to comply with the Code, it will almost certainly breach the GDPR and the DPA.

When does the Code apply?

The Code focusses on the sharing of personal data between data controllers (a “data controller” is an organisation which, either alone or jointly with others, determines the purposes for which personal data is processed).

Some examples of when the Code will apply include the sharing of personal data in connection with M&A transactions, the sharing of personal data in connection with joint venture and R&D projects, the purchase / sale of marketing lists, intra-group sharing of staff and / or customer data, and the sharing of personal data for the prevention of fraud.

What are the key points?

Businesses which share personal data must:

  • Fully comply with all the principles of the GDPR in respect of the data sharing: be fair and transparent with the individual data subjects; ensure there is a lawful basis for the data sharing (for example legitimate interests); make sure the data shared is limited to what is needed for the specific agreed purpose; make sure the data is only used for the purpose; make sure the data shared is accurate and up to date; ensure the data is kept secure; ensure the data is not kept for longer than is necessary; ensure individuals can easily exercise their data subject rights (e.g. the right to access their personal data);
  • Take a “data protection by design and default” approach and consider whether a data protection impact assessment (“DPIA”) is needed.  The Code recommends DPIAs are carried out when sharing personal data even if DPIAs are not legally required; and
  • Enter into an appropriate data sharing agreement to record the types of data to be shared, the purpose of the data sharing and the rules around the data sharing.

How are M&A transactions affected?

The Code expressly refers to M&A transactions so buyers, sellers and investors must all comply with the Code when they share personal data in connection with a transaction.

In addition to the obligations set out above, businesses must:

  • Consider and review the data sharing arrangements throughout the due diligence process;
  • Seek technical advice before sharing data where different systems are involved because the use of different systems creates the risk of loss, corruption or degradation of the data; and
  • Consider when and how individuals will be informed about the transaction and what is happening to their data.

The ICO recently issued notice of its intention to fine the hotel group Marriott International Inc more than £99 million for the inadequate due diligence it applied to its acquisition of the Starwood hotels group after it was discovered that millions of hotel guests’ personal data had been compromised following a hack on the Starwood database.  The case illustrates the importance of data protection compliance and due diligence in M&A transactions.

What is next?

We are currently awaiting the outcome of the Code’s consultation with the final Code due for launch in the autumn.  However, we do not expect any significant changes to the draft Code and businesses should act now to make sure their data sharing arrangements comply with the Code.

 

This article is current as of the date of its publication. The information and any commentary contained in this article is for general information purposes only and does not constitute legal or any other type of professional advice.  Marriott Harrison LLP does not accept and, to the extent permitted by law, excludes liability to any person for any loss which may arise from relying upon or otherwise using the information contained in this article.