Seven tips for good data sharing

On Friday 13th November, Trace Founder Sorcha Lorimer and Gensyn CTO and Co-Founder Ben Fielding co-presented a seminar on Big Data Sharing rooted in Privacy by Design, hosted by Dr Devraj Basu of the University of Strathclyde at part of the RegTech forum.

We covered a lot in the seminar, which you can request to watch on demand; from data sharing, to the European Commission’s principles, to Privacy by Design and a focus on the use cases for synthetic data. We’ll share more posts and guides on those topics in the coming weeks.

In the meantime, here’s a quick distillation of the key points on good data sharing which Sorcha covered at the event into 7 tips for good data sharing:

1. Data sharing presents governance challenges: from usage rights, to tracking data flows. Break it down into why, what, with whom and how for greater transparency and clear purpose

2. Know your data: information is infinite: understand the type of data (open or private? special category? confidential?), its nature and implications for risk and liability

3. Map the legal framework: is this personal data (which is now a very broad term under the GDPR), which jurisdictions apply to the contract etc. And apply the golden rule: don’t collect or share what you can’t protect and you don’t have a legal basis for (vital for personal or special category data)

4. Make it user-centric and apply the principles of Privacy by Design. Think of the end users, the data subjects and their rights, if this is personal data

5. Data Sharing Agreements (DSAs) are a broad topology of contracts, make sure you have the right agreement for the type of sharing and nature of the data. For example, personal data processing requires data controllers to have Data Processing Agreements/Addendums (DPAs) in place with controllers

6. Manage your data and privacy risk: when you are sharing (or collecting) private data or there is high risk processing, make sure you use a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) to help navigate the legal basis and to ensure accountability for surfacing and mitigating data risk to protect the data processing

7. Make it end to end: think about the ‘cradle to grave’ approach for your data lifecycle. Where was data first collected? How will it be shared? How will it be protected? How will it be securely deleted at the end of the agreement? How will all of that be assured and the contract terminated?

Interested in operationalising your privacy programme? Find out more about Trace’s smart DPIA and e-sign DPA features in our platform tour.

Can Trace help with your data governance and privacy risk management? We specialise in making data agreements operationalised into data governance, working closely with lawyers, the business and your technical team. Get in touch if we can help through our tools or managed services.