Skip to main content
Book a call — £89
Menu

Data Sharing Agreements: A Practical Guide for UK Businesses | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofIP Rights

Updated June 2026 · England & Wales
Whenever two organisations exchange personal data, whether for a joint project, a supplier relationship, or wider collaboration, the terms of that exchange matter enormously. Getting it wrong can mean fines, reputational harm, and a breakdown in trust with the individuals whose information is involved. A Data Sharing Agreement (sometimes shortened to DSA) sets out, in writing, how two or more parties will handle the data they pass between them. It is not just a formality. Under UK GDPR and the Data Protection Act 2018, organisations sharing personal data need to be able to demonstrate accountability, a lawful basis, and appropriate safeguards. In this guide I want to walk through what a DSA actually does, the clauses that carry the most weight, and the practical questions to think about before signing one. My aim is to give you a clear sense of where the real risks sit.

What this document is

A Data Sharing Agreement is a written arrangement between organisations that sets out how personal data (and sometimes other confidential information) will be shared, used, stored, and eventually deleted. It is the document that turns a general intention to collaborate into a concrete, accountable framework.

In UK practice, DSAs are typically used between two separate controllers, between joint controllers, or between a controller and another party where the relationship is not a straightforward processor arrangement. They sit alongside the wider obligations set out in UK GDPR and the Data Protection Act 2018, and they are strongly encouraged by the Information Commissioner's Office in its statutory code on data sharing.

While a DSA is not always legally mandatory, in my experience it is almost always sensible. It forces both parties to pause and think about lawful basis, security measures, retention periods, and what happens if something goes wrong. Without one, disputes tend to surface at the worst possible moment, usually after an incident has already occurred.

How to use this document

  1. Map the data flow before drafting. Start by identifying exactly what personal data will move between the parties, in which direction, how often, and why. Without this groundwork, the agreement risks being generic. List the categories of data, the individuals it relates to, and any special category data that may need extra safeguards under UK GDPR.
  2. Confirm the lawful basis and roles. Each party needs to be clear on its role, whether that is controller, joint controller, or processor, and the lawful basis being relied on for the sharing. This is not a technicality. It determines who owes which duties to data subjects and shapes how the rest of the agreement needs to be structured to stay compliant.
  3. Define purpose limitations and permitted uses. The agreement should spell out precisely what the recipient can and cannot do with the data. Broad, open-ended wording tends to create problems later. Tie the permitted use to the original purpose, restrict onward sharing unless expressly agreed, and make clear that using the data for unrelated purposes would be a breach of the agreement.
  4. Set out security, retention, and breach protocols. Include the technical and organisational measures each party must apply, such as encryption in transit, access controls, and staff training. Agree retention periods aligned with the purpose, and build in clear timelines and responsibilities for notifying the other party if a personal data breach occurs, so reporting to the ICO and affected individuals is not delayed.
  5. Plan for termination and dispute resolution. Decide what happens to the shared data when the arrangement ends, whether it must be returned, securely destroyed, or retained for a defined period. Include a mechanism for resolving disagreements, governing law, and a process for reviewing the agreement periodically. Data sharing is rarely static, and a DSA that is never revisited tends to drift out of line with reality.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Common questions

Q Is a Data Sharing Agreement legally required in the UK?
A DSA is not always a strict legal requirement, but UK GDPR and the ICO's data sharing code of practice expect organisations to demonstrate accountability when sharing personal data. In practice, a written agreement is the clearest way to show you have considered lawful basis, security, and data subject rights. For anything beyond occasional, low-risk sharing, having a DSA in place is generally the sensible approach.
Q What is the difference between a Data Sharing Agreement and a Data Processing Agreement?
A Data Processing Agreement is used when one party (the processor) handles personal data strictly on the instructions of another (the controller). A Data Sharing Agreement is typically used between two or more controllers, or joint controllers, who each decide how the data is used. The distinction matters because the obligations under UK GDPR differ, and using the wrong type of agreement can leave gaps in compliance.
Q Do I need a DSA for sharing data within my own group of companies?
Yes, in many cases. Separate legal entities are treated as separate controllers under UK GDPR, even when they are part of the same corporate group. An intra-group data sharing agreement helps document the lawful basis, set expectations on security, and deal with international transfers where group members sit outside the UK. Relying on the group relationship alone is generally not enough.
Q What happens if a party breaches the Data Sharing Agreement?
The consequences depend on what the agreement says and the nature of the breach. Typically the innocent party can claim damages, require corrective steps, or terminate the arrangement. A breach may also trigger obligations to notify the ICO and affected individuals if personal data has been compromised. Regulatory action and reputational harm often end up being more significant than the contractual remedies themselves.
Q Does a DSA cover international data transfers?
A DSA can address international transfers, but it usually needs additional safeguards to comply with UK GDPR. This may involve the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on an adequacy decision. A transfer risk assessment is also normally expected. The DSA should reference these safeguards rather than assume the base agreement is enough on its own.
Q How often should a Data Sharing Agreement be reviewed?
A sensible cadence is at least once a year, and sooner if circumstances change, for example a new processing activity, a change in supplier, or updated guidance from the ICO. Data flows have a habit of expanding quietly over time. A periodic review helps ensure the agreement still reflects what is actually happening and that the safeguards remain proportionate to the risks involved.
Q Who should sign the DSA within each organisation?
It should be signed by someone with authority to commit the organisation to contractual obligations, often a director, data protection lead, or senior manager. Input from a Data Protection Officer, where one is appointed, is strongly recommended before signature. Keeping a clear record of who signed, when, and on what version of the document is important for accountability purposes under UK GDPR.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.