ABAC (Attribute-Based Access Control)
ABAC decides access by evaluating attributes of the person, the resource, the action, and the context against a policy, instead of by member...
Read definitionA data sharing agreement is the written deal between organisations that share data: what moves, to whom, for what purpose, on what legal basis, for how long, under what security, and what happens at the end. Under GDPR the roles decide whether you also need a data processing agreement.
A data sharing agreement is a written agreement between organisations that share data. It sets out what data moves, to whom, for what purpose, on what legal basis, for how long, under what security, and what happens to the data once the arrangement ends.
It works as two documents at once. For legal and compliance, it records the purpose, the lawful basis, and the roles under data protection law. For the data teams on both sides, it is a working brief: which fields come through, how often, and who reports an incident.
Without one, shared data drifts. An export lands in a shared folder, someone builds a report on it, and a year later nobody can say who owns a wrong figure or a deletion request. The agreement records those answers up front.
Most agreements cover the same core ground, and the detail scales with how sensitive the data is.
Purpose. Not a blanket "for analysis" but which analysis, for whom, and what decisions may follow. Data shared for billing should not quietly become training data for a model or a marketing list.
Parties and roles. Who shares, who receives, and who carries which responsibility under data protection law at each stage, including after the data has changed hands.
The data in scope. A specification of the datasets and fields covered. Often it is right to share part of a record and leave the more sensitive fields behind.
Legal basis. The lawful ground for the sharing, which matters most when the data includes personal data, what many teams call PII.
Retention and deletion. How long each side may keep the data and how it gets deleted. This is where data retention and data minimisation stop being policy words and become clauses someone has to honour.
Security. The technical and organisational measures each side applies, plus how a breach is reported and to whom.
The end of the arrangement. What happens when it stops: return the data, delete it, or anonymise it, with copies, backups, and exports covered too.
The most important question in a data sharing agreement is a GDPR question: what role does each side play. The answer decides which document you actually need, and GDPR is strict about two of the three cases.
If the other organisation decides its own purposes for the data, you are two separate controllers. A manufacturer sends a distributor monthly sales figures, and the distributor uses them for its own demand forecasting. Each side answers for its own use. GDPR does not impose a fixed template here, but regulators expect a written agreement, and the accountability principle is hard to meet without one.
If the other organisation only handles the data on your behalf and follows your instructions, it is your processor rather than an independent controller. A retailer hands its customer list to an email platform that sends campaigns for it and does nothing else with the data. Here GDPR Article 28 makes a data processing agreement mandatory and prescribes its contents: documented instructions, confidentiality, security, limits on sub-processors, help with data subject requests, and deletion or return of the data when the service ends.
If both sides decide the purposes together, you are joint controllers, and GDPR Article 26 requires an arrangement that sets out who is responsible for what, above all who answers to the people whose data it is. The essence of that arrangement has to be made available to those individuals, and they can exercise their rights against either party.
The dividing line is always who decides the purpose. The same data can flow in each case, but the legal instrument differs because the control does.
Vague purpose clauses. A clause like "for analysis and business purposes" permits almost anything, so it controls almost nothing. Write down the specific use and the decisions it feeds.
Deletion you cannot actually perform. A duty to delete is only real when both sides know where copies, backups, and exports sit. Without data lineage that is guesswork, and the clause becomes a promise nobody can keep.
Definitions that quietly differ. If your "active customer" is not the receiving side's "active customer", the same dataset supports two different conclusions. Agree the definitions, not only the fields. That is ordinary data governance applied across an organisational boundary.
Confusing it with a data contract. A data contract pins down the schema, fields, and delivery between systems; a data sharing agreement pins down why the data may be used and by whom. A partnership often needs both, and one of them working does not mean the other exists.
Leaning on a technical control alone. A data clean room can enforce some limits by construction, but it does not record the purpose or the roles, so it does not replace the agreement.
Data protection decisions turn on the specifics of each case. For sensitive data, large-scale sharing, or anything novel, bring in legal and privacy specialists rather than leaning on a template.
ABAC decides access by evaluating attributes of the person, the resource, the action, and the context against a policy, instead of by member...
Read definitionThe AI Act is the European Union regulation that governs artificial intelligence. It sorts AI systems by risk and places obligations on anyo...
Read definitionAI literacy is the knowledge and judgement people need to use AI responsibly: understanding what a model can do, checking its output, protec...
Read definitionAnonymisation makes data no longer reasonably linkable to a person. Pseudonymisation replaces identifiers with codes but keeps a route back ...
Read definitionAn approval workflow routes a request to the people who must sign off before it takes effect. A purchase, an expense, a data change, or an a...
Read definition
A step by step guide on how you can create an event log for process mining.
Test data ideas fast with pretotyping. Learn how to validate concepts in days, avoid over-engineering, and build what truly adds value.