So, what is it about sharing data that people find so confusing? If you went to a football match or an athletics meeting would you tell your life story to the person sitting next to you, including where you live, your bank account details, and so on? Even if you did would you want the rest of the stadium to know everything too?
I am sure that the vast majority of us would not say a word to the stranger sitting next to us, so why would you want a company to do what you wouldn’t?
The Need to Share Data
There are some very obvious reasons that companies share data. Delivering the item(s) you have ordered online may not reach you if the retailer doesn’t share your address with the Royal Mail, for example. This is just common sense surely, you say – and you’d be right to. In fact some companies cannot fulfil their obligations to an individual without sharing data.
There are more reasons, based on common sense, to share your data, but not all of them can be considered automatic. At the end of the day it’s about whether there is a legitimate reason, in the eyes of the regulation, to share your data. This is based on need, not want. Even some needs can require consent from the individual or supplying the data required be anonymising it, as charities do.
Some things that might not be obvious on this topic would be; you are out on a shopping day with your friends and you fall in a shop and hurt yourself badly. A shop worker calls for an ambulance and then asks you loads of personal questions that the ambulance service ask them. After the incident is over the shop will be required to place particulars of the incident and your details in its accident records. This is the natural use of data sharing and is allowable using a number of reasons called the “Legal Basis for Processing” in the regulations.
The Want to Share Data
There are other reasons, just as obvious, that companies have to share your data that cannot be treated in the same way. These are basically using your information financial gain in some way or another. This are things like sharing data with “affiliates”, or just to sell your data to a load of companies in the hope that one of these will get a sale from you.
Anything linked to this type of data sharing is not something that can happen using a “Legal Basis for Processing” that has been used in the prior example and any of these types of activities has to have your approval. This type of activity requires your consent. Consent is, in itself, a “Legal Basis of Processing” and can be used for a variety of reason and sharing data is one of them.
Some data requires particular care, like imagery, as when it is shared on social media, it is most probably in the public domain in perpetuity. Once “out there”, images linked to posts can be shared, liked and downloaded so much that it is virtually impossible to remove them from every data feed on that platform.
How to Share Data
The first point to make here is common sense to me. Tell people what data you want to share with others, or what you feel you have to share, and why. As an organisation there will be data that has to be shared as there is a legal requirement to do so. For some others there is a legitimate interest as it will be beneficial to their health and/or wellbeing, especially if there is some type of emergency requiring the immediate attention of health or law enforcement services.
Where none of these reasons apply, then an organisation will always need consent. In a regulatory context consent is a freely given choice that is not influenced in any way by incentives from the process. For example, and I have personally witnessed this one, “Choose to stay on our mailing list and your name will be entered into a free prize draw for a free overnight stay and cream tea”. Bundling things like this will invalidate the consent being requested if challenged.
If you want to share data for marketing purposes it has to be clear that this is why data is going to be shared, exactly what will be shared and to whom, so “affiliates” will not cut it any more. If you review the cookies on the sites you visit on the internet you should see a section for advertising. As an individual you have the choice to turn this off completely, or to go through and select individual companies that can send marketing to you. Accepting cookies from a website, without any review of what they are, can clog up your inbox with marketing emails.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.