Sharing data with yourself

If your business consists of more than one entity – meaning you have a ‘group’ of companies, however large or small – you are likely to be sharing data between them. For example, if any of the following statements are true, it means that intra-group data sharing is taking place:

• Each entity in the group has a separate system, and data passes between entities.
• Different entities can access data stored on systems operated by other group members. 
• One group company provides a range of back-office services for others in the group involving the transfer or storage of customer or supplier data.
• One company provides group HR services, accessing or storing data relating to people employed by other group companies.
• Managers supervise staff who are employed in other group companies.

Appropriate controls

Any data sharing, whether one-off or continuous, should be identified and properly documented, whatever group entities are involved. Appropriate controls – including both technical security measures and organisational controls over who gets access to what data – should be in place to protect confidential business information.

Data protection law will apply to any personal data being processed by corporate entities within the same group structure and every instance of sharing data should be identified and properly documented. International transfers of personal data (such as from the UK or the European Economic Area to other locations) may need additional controls to ensure all applicable data protection laws are being complied with when making transfers.

Do you need an IGDTA?

An IGDTA is an intra-group data transfer agreement. Many organisations that share data between group companies opt to put such an agreement in place.

IGDTAs need to be drafted carefully. In complex organisations – particularly large international businesses – they have to regulate the movement of data between dozens, or even hundreds, of group entities. But they offer a number of potential benefits. For example, an IGDTA may:

• Assist you in documenting the data transfers that occur within your group, helping to ensure that you have appropriate knowledge and control over how data is being shared.
• Help you with your regulatory requirements under data protection law – particularly in situations involving international data transfers. 
• In sectors such as financial services that are subject to additional regulations, an IGDTA may help to demonstrate compliance by incorporating further conditions, such as information security and business continuity provisions.
• Avoid the need for individual bilateral arrangements between group companies.
• Help you understand how data is used across your organisation.