BA
Written by Brad Askew
Legal Tech Founder
Civil & Commercial Law background · Founder of LegalDocuments.co.uk
We’re not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.
Updated April 2026 · England & Wales
BA
Written by Brad Askew Legal Tech Founder
Civil & Commercial Law background · Founder of LegalDocuments.co.uk
Updated May 2026
·
England & Wales
Whenever two organisations exchange personal data, whether for a joint project, a supplier relationship, or wider collaboration, the terms of that exchange matter enormously. Getting it wrong can mean fines, reputational harm, and a breakdown in trust with the individuals whose information is involved.
A Data Sharing Agreement (sometimes shortened to DSA) sets out, in writing, how two or more parties will handle the data they pass between them. It is not just a formality. Under UK GDPR and the Data Protection Act 2018, organisations sharing personal data need to be able to demonstrate accountability, a lawful basis, and appropriate safeguards.
In this guide I want to walk through what a DSA actually does, the clauses that carry the most weight, and the practical questions to think about before signing one. My aim is to give you a clear sense of where the real risks sit.
What this document is
A Data Sharing Agreement is a written arrangement between organisations that sets out how personal data (and sometimes other confidential information) will be shared, used, stored, and eventually deleted. It is the document that turns a general intention to collaborate into a concrete, accountable framework.
In UK practice, DSAs are typically used between two separate controllers, between joint controllers, or between a controller and another party where the relationship is not a straightforward processor arrangement. They sit alongside the wider obligations set out in UK GDPR and the Data Protection Act 2018, and they are strongly encouraged by the Information Commissioner's Office in its statutory code on data sharing.
While a DSA is not always legally mandatory, in my experience it is almost always sensible. It forces both parties to pause and think about lawful basis, security measures, retention periods, and what happens if something goes wrong. Without one, disputes tend to surface at the worst possible moment, usually after an incident has already occurred.
How to use this document
01
Map the data flow before drafting. Start by identifying exactly what personal data will move between the parties, in which direction, how often, and why. Without this groundwork, the agreement risks being generic. List the categories of data, the individuals it relates to, and any special category data that may need extra safeguards under UK GDPR.
02
Confirm the lawful basis and roles. Each party needs to be clear on its role, whether that is controller, joint controller, or processor, and the lawful basis being relied on for the sharing. This is not a technicality. It determines who owes which duties to data subjects and shapes how the rest of the agreement needs to be structured to stay compliant.
03
Define purpose limitations and permitted uses. The agreement should spell out precisely what the recipient can and cannot do with the data. Broad, open-ended wording tends to create problems later. Tie the permitted use to the original purpose, restrict onward sharing unless expressly agreed, and make clear that using the data for unrelated purposes would be a breach of the agreement.
04
Set out security, retention, and breach protocols. Include the technical and organisational measures each party must apply, such as encryption in transit, access controls, and staff training. Agree retention periods aligned with the purpose, and build in clear timelines and responsibilities for notifying the other party if a personal data breach occurs, so reporting to the ICO and affected individuals is not delayed.
05
Plan for termination and dispute resolution. Decide what happens to the shared data when the arrangement ends, whether it must be returned, securely destroyed, or retained for a defined period. Include a mechanism for resolving disagreements, governing law, and a process for reviewing the agreement periodically. Data sharing is rarely static, and a DSA that is never revisited tends to drift out of line with reality.
Common questions
QIs a Data Sharing Agreement legally required in the UK?
A DSA is not always a strict legal requirement, but UK GDPR and the ICO's data sharing code of practice expect organisations to demonstrate accountability when sharing personal data. In practice, a written agreement is the clearest way to show you have considered lawful basis, security, and data subject rights. For anything beyond occasional, low-risk sharing, having a DSA in place is generally the sensible approach.
QWhat is the difference between a Data Sharing Agreement and a Data Processing Agreement?
A Data Processing Agreement is used when one party (the processor) handles personal data strictly on the instructions of another (the controller). A Data Sharing Agreement is typically used between two or more controllers, or joint controllers, who each decide how the data is used. The distinction matters because the obligations under UK GDPR differ, and using the wrong type of agreement can leave gaps in compliance.
QDo I need a DSA for sharing data within my own group of companies?
Yes, in many cases. Separate legal entities are treated as separate controllers under UK GDPR, even when they are part of the same corporate group. An intra-group data sharing agreement helps document the lawful basis, set expectations on security, and deal with international transfers where group members sit outside the UK. Relying on the group relationship alone is generally not enough.
QWhat happens if a party breaches the Data Sharing Agreement?
The consequences depend on what the agreement says and the nature of the breach. Typically the innocent party can claim damages, require corrective steps, or terminate the arrangement. A breach may also trigger obligations to notify the ICO and affected individuals if personal data has been compromised. Regulatory action and reputational harm often end up being more significant than the contractual remedies themselves.
QDoes a DSA cover international data transfers?
A DSA can address international transfers, but it usually needs additional safeguards to comply with UK GDPR. This may involve the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on an adequacy decision. A transfer risk assessment is also normally expected. The DSA should reference these safeguards rather than assume the base agreement is enough on its own.
QHow often should a Data Sharing Agreement be reviewed?
A sensible cadence is at least once a year, and sooner if circumstances change, for example a new processing activity, a change in supplier, or updated guidance from the ICO. Data flows have a habit of expanding quietly over time. A periodic review helps ensure the agreement still reflects what is actually happening and that the safeguards remain proportionate to the risks involved.
QWho should sign the DSA within each organisation?
It should be signed by someone with authority to commit the organisation to contractual obligations, often a director, data protection lead, or senior manager. Input from a Data Protection Officer, where one is appointed, is strongly recommended before signature. Keeping a clear record of who signed, when, and on what version of the document is important for accountability purposes under UK GDPR.
BA
Brad Askew Legal Tech Founder
Brad has a background in civil and commercial law and founded LegalDocuments.co.uk to make clear, reliable legal information accessible to everyone. This site is not a law firm and does not provide regulated legal advice.
Legal disclaimer
This article is for general information only and does not constitute legal advice. We are not solicitors. For advice on your specific situation, please consult a qualified solicitor.
Legal helpline
Unsure what your data sharing agreement should cover?
Data sharing agreements touch lawful basis, security, retention, and liability, and the right wording depends heavily on the actual flow of data between the parties. An experienced legal adviser can talk it through with you on the phone and help you think through the key points based on what you describe.
One call gives you
✓Plain-English answers to your specific questions about data sharing
✓Practical perspective on the clauses that matter most in your situation
✓Guidance tailored to what you describe about the data flow involved
✓A clearer sense of what to watch out for before you sign
£49
personal call, fixed price
2hr callback
Talk it through
→
How it works
Provided by Law Express Ltd, experienced legal advisers giving general telephone guidance.
Mon–Fri 8am–8pm · Sat–Sun 9am–12pm
SponsoredWe may earn a commission if you buy a template through Net Lawman, at no extra cost to you. How we fund this site.
Need the document itself?
Business sale agreement: any business
Professionally drafted UK template, editable in Word.
Download template
→
✓Written by UK legal team
✓Plain English, easy to edit
✓Instant download, money-back guarantee
Other versions:
