FAQ'S
      Back to home
      1. GDPRiS Knowledge Base
      2. FAQ'S

      What is the difference between a Data Sharing Agreement (DSA) and a Data Processing Agreement (DPA)?

      Let’s break down the 2 different types though so you can clearly understand what they are:

      Data Sharing Agreement:

      A data sharing agreement sets out a purpose for the data sharing, it covers what is going to be happening with the data at the various stages, ensures that’s standards are set and agreed upon with both parties, and has clarified the different roles the 2 organisations will have.

      Ideally, you should have the following questions answered in the document:

      • Who are the parties named in the agreement?
      • What is the purpose of the data sharing?
        • What are the specific aims?
        • Why is this necessary?
        • What will be the benefits of sharing this data?
      • Will any other organisations be involved in the data sharing?
        • DPO contact details?
        • Contacts?
      • Are you sharing with a separate controller or a joint controlled?
        • If you are joint controllers there is a legal obligation to set out your responsibilities in a joint control arrangement, under both the UK GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018.
      • What data is being shared?
        • Do you need specific permissions before you begin?
      • What is the lawful basis that is being used for sharing?
      • Is there any special category/criminal/sensitive data being shared?
        • Do you have the correct conditions for processing?
      • How will the individuals be able to access their information and exercise their rights?
        • What happens when wither controller receives an information request?
      • What arrangements regarding information governance should we put in place?
      • A summary of key legislative and any other legal provisions that would be applicable.

      Data Processing Agreement:

      This is a contract between the controller and a processor they would like to use. It is a necessary and useful tool that will provide both you and the processor with what they will do with your data going forward.

      The following will need to be addressed in the data processing agreements:

      • What the subject matter of the processing is? What is the provision of the Service to the Controller that involves the processing of personal data?
      • How long will the duration of the processing be?
      • What is the nature of the data? How sensitive is it?
      • What is the purpose/outcome of using the processor?
      • What type of data is being used?
      • The controller’s obligations and right
      • It will need to specify that the processor can only act on the documented instructions of the controller unless required to by law.
      • The processor will need to ensure that staff who will have access to the data are subject to a duty of confidence.
      • The processor must take all appropriate measures to ensure the safety and security of processing
      • The processor will only engage a sub-processor with the controller prior authorisation and under a written contract.
      • The processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights
      • The processor must assist the controller in meeting its obligations to GDPR in regards to security, DPIA’s, and breaches.