Best Practices for Data Sharing Changes

Best Practices for Data Sharing Changes

Data sharing practices change all the time.

For example, say you decide to add a form to your website that asks customers for their phone number and home address. In contrast, all you had asked from them previously was their first name and email address. And, at the same time, you need to switch from one email autoresponder to another.

Or, suppose you have a texting app and you've decided to give users the ability to text businesses directly from it, but you're also going to store all those chats on a third-party server (similar to the controversial move made by WhatsApp, initially intended for implementation on February 8, 2021 and then delayed to May 15, 2021).

Another instance might be a case where one company is interested in collaboration and innovation to bring about new technology or other products and services, so it partners with a third party to either obtain or provide data so that it can achieve goals it never could by itself. However, then the third-party was acquired by yet another company.

In all these instances, data sharing practices changed to one degree or another.

As privacy and data protection laws increasingly gain traction worldwide, it's crucial to understand how to keep your company compliant in terms of data sharing and what to do if your data sharing practices change. We'll help you do just that.


What is Data Sharing?

Data sharing still doesn't have a definition, which is accepted everywhere. That might sound odd because significant privacy and data protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), have principles and guidelines concerning data sharing.

For this article's purposes, we'll use the term "data sharing" in the context of commercial business and how the strictest laws concerning data protection use it.

In this context, data sharing generally means "personal data" and how your business discloses or uses that information to, and in connection with, third-parties that aren't a part of your company.

Examples of data sharing in this respect might be:

  • In order to establish creditworthiness, a finance company shares personal data with a credit rating agency
  • To help customers prepare for a stay in a foreign location, a travel firm might share personal data with a hotel
  • To adequately prepare for surgery, a healthcare company may need to share personal data with a medical consultant
  • So that a customer's order can be delivered, a company might share the customer's home address with a delivery service

Finally, keep in mind that there are three main classifications of shared data. They are:

  • Sharing data with a person or organization for joint purposes
  • Sharing data with a third party for their use
  • Sharing data with a natural or legal person, public authority, agency, or other body that is engaged to use or store the data for you

Data Sharing Basics

When sharing data with any third party, the following must be kept in mind at all times and strictly adhered to if you wish to be compliant with laws such as the GDPR and CCPA:

  • There must be a good reason to share the data (we'll cover the principles for this below)
  • You must reliably inform your customers that you actively share their data
  • You must ensure that you minimize the amount of data that you need to share
  • You must ensure that you minimize the amount of time during which the data is shared
  • The parties with whom you share the data must have clearly stated policies regarding retention and deletion of shared data
  • You must ensure that shared information is kept secure
  • You must document all shared data
  • Consult with a data protection attorney on a case by case basis
  • Stay up-to-date with the latest guidance on major legislative requirements

Keep in mind that it's a best practice to put a data-sharing agreement in place between your company and any third-party with whom you intend to share data.

Because data sharing agreements may be used often, depending on your company's needs, you may also wish to have templates drawn up that can be customized as necessary.

Have a Good Reason for Sharing Data

Have a Good Reason for Sharing Data

A good reason for sharing data isn't just "because you feel like it" or "because you know you'll profit from it." No, a good reason for sharing data must have a legal basis.

Legal grounds for sharing data include:

  • A legitimate interest pursued by you
  • The sharing of data is carried out in the practice of official authority (such as obeying a court order) or performed in the interest of the public
  • A legal obligation placed upon you
  • When the subject of the data has given explicit consent
  • When it is necessary to protect the data subject's vital interests
  • When it is essential for you to fulfill the demands of a contract

Before sharing data, it's best to obtain explicit consent from those you are collecting data from.

Further, telling your customers upfront and in clear language that you are collecting data, the purposes for which you are collecting it, how long you plan to keep it, how you plan to keep it safe, and with whom you plan to share it is a necessity.

Remember that while the GDPR and CCPA may not cover all geographic regions where you do business, both laws are now being used as the proverbial gold standard for privacy and data protection (which cover data sharing practices).

Many nations and states are in the process of passing legislation that borrows heavily from them.

What to Do if Your Data Sharing Practices Change

What to Do if Your Data Sharing Practices Change

Should you change the way your company handles data sharing in any way, you'll want to make that fact public. You'll also want to make swift updates to all legal agreements and policies published on your website, such as your Privacy Policy.

Then you'll want to notify your customers of all relevant changes you've made. We'll go over specifics below.

General Changes to Your Data Sharing Practices

If you plan to make changes to your data sharing practices, you need to provide notice before those changes go into effect. You'll want to be sure to mention any policies or agreements that may be affected by those changes, such as your Privacy Policy or your Terms and Conditions Agreement.

Here's the notification WhatsApp sent out through its messaging system:

WhatsApp updating terms and Privacy Policy notice with Agree for consent

Other agreements that might be affected include:

  • Terms for the API
  • Cookies Policy
  • Service Level Agreement
  • End-user License Agreement (EULA)

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

You should also gain new consent for the changes you plan to make. This shows respect for your customers and allows them to either opt-out of further data collection or to delete their account with you entirely if they don't agree with your changes.

There are a couple of ways to give notice to your customers. They are:

  • Notice through email
  • Notice in a popup on your homepage

While you could limit providing notice to only one of the methods mentioned above, it's a best practice to use both in conjunction with each other.

Email Notification

You can effectively share changes to your data sharing practices through email. In fact, email notifications are considered more effective than the other two methods we'll share below because people use their email just about every day.

Thus, your customers have a much higher chance of seeing and reading your notification. This is in contrast to a popup notification on your website, which some customers may rarely visit.

To be effective, your email notification should include four things:

  • The date changes to your data sharing practices go into effect
  • Details on the planned changes
  • Links to any affected legal agreements
  • What actions your customers can take if they don't agree with the changes

Another method of letting your customers know that you're implementing changes to your data sharing policy is through the use of a conspicuous popup notice. Ideally, you'll place this popup on your company website's main page, and you'll use it to help gain explicit consent.

In the popup notice, you'll want to include the following:

  • A statement detailing your planned changes
  • A mechanism to acquire consent. The Clickwrap method is recommended here, wherein the user must purposefully click "Accept" or "Agree" to validate their consent
  • Links to the legal agreements affected by your change in data sharing practices

Here's a popup Twitter used when it changed how it shared data:

Twitter Update to your data-sharing settings popup notice

General principles to keep in mind when notifying customers of changes to your business practices include:

  • Making sure that all notices, emails, or otherwise, that detail changes to your data sharing practices are written clearly and in simple language
  • Make sure all notices and updated legal agreements are easily accessible, concise, and transparent
  • Make sure you never charge customers for access to updated information

Major Changes to Your Data Sharing Practices

Major Changes to Your Data Sharing Practices

There are some situations in which you'll need to do a bit more than what's outlined above in terms of what to do when your data sharing practices change. For example, how you handle data sharing may change significantly when going through an acquisition or a merger.

During a change in the organizational structure of any kind, you may find that you'll have to transfer data to a different person or organization. Therefore, you'll need to consider sharing data as part of the overall due diligence you must conduct when taking on a new organization and its commitments.

Part of carrying out that due diligence requires that you establish the purposes for which data was collected initially, gaining a clear understanding of the lawful basis for sharing that data, and whether these will change in any way following the acquisition or merger.

As noted previously, if you find that any changes are made to your data sharing practices, you'll have to inform those who have given their personal data about them. Furthermore, it is your responsibility to make sure that data shared is secured correctly and that you document all shared data.

Specific Actions: Acquisitions and Mergers

As suggested above, you may find that you'll have to transfer data to a different person or organization during an acquisition or merger.

In the event this happens, you'll need to:

  • Make a determination as to what specific data you are transferring
  • Seek out technical advice in cases where organizations have different data systems in place
  • Ensure principles of transparency, fairness, and lawfulness are followed
  • Document everything
  • Work to prevent the loss, degradation, or corruption of data during the transfer
  • Follow all security protocols

After the Acquisition or Merger

Following an acquisition or merger, it may be hard to manage any data that's shared. Difficulty managing the data may especially be the case when the organizations in question attempt to integrate different systems or are using other databases.

You will want to ensure that you:

  • Check to ensure that proper security is maintained
  • Ensure that you follow a policy of retaining all documentation of data sharing practices both before and after the acquisition or merger
  • Check to be sure that the data records are up to date and accurate

Summary

  • There are many circumstances during which data sharing practices might change.
  • Although the definition of data sharing isn't set in stone, there is a generally agreed-upon meaning when it comes to how the term is used in the context of commercial business.
  • Data sharing mainly is concerned with how companies share the personal data of their customers.
  • You should make public all changes to the way in which you handle data sharing.
  • You should make swift updates to all legal agreements and policies published on your website.
  • You should notify your customers before changes go into effect. Notifications can be made through email or popups that obtain explicit consent from your customers to the changes you plan to make.
  • There are particular data sharing considerations when dealing with acquisitions and mergers.
  • The way in which data sharing takes place should be considered as part of your overall due diligence.
  • Seek out technical advice in cases where organizations have different data systems in place.
  • Work to prevent the loss, degradation, or corruption of data during the transfer.
  • Follow all security protocols.
  • Consult with a data protection attorney on a case by case basis.
  • Stay up-to-date with the latest guidance on major legislative requirements.

Whether you ever need to change your data sharing practices or not, you should always keep the following foremost in your mind regarding your policies on the matter.

  • What is your lawful basis for sharing data?
  • Are your data sharing practices justified?
  • How much data do you plan to share?
  • Do you have data sharing agreements in place?
William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.