Lawyer reviewed templates
How to Draft a Data Sharing Agreement in the UK
If you need to know how to draft a data sharing agreement in the UK, you are in the right place. A data sharing agreement is a legally binding document that sets out the terms under which one organisation shares personal data with another. Under UK GDPR and the Data Protection Act 2018, having this agreement in place is not optional if you are sharing personal data with third parties — it is a practical necessity and, in many cases, a legal requirement. Without one, both parties are exposed to ICO enforcement risk, potential fines, and reputational damage. This guide walks you through exactly what needs to go into a UK-compliant data sharing agreement: the parties, the lawful basis for sharing, data categories, retention periods, security obligations, and what happens when things go wrong. Whether you are sharing customer data with a supplier, a partner, or a processor, this page gives you a clear, practical framework to get it right.
Why this matters
The Atornee approach
What you get
Before you sign checklist
FAQ
Is a data sharing agreement legally required in the UK?
Not always in the strict sense, but UK GDPR's accountability principle means you need to be able to demonstrate that any data sharing is lawful, fair, and properly governed. In practice, a written agreement is the clearest way to do that. If you are sharing data with a processor — someone handling data on your behalf — a written contract is explicitly required under UK GDPR Article 28. For controller-to-controller sharing, a formal agreement is strongly recommended and expected by the ICO.
What is the difference between a data sharing agreement and a data processing agreement?
A data processing agreement (DPA) is used when one party processes personal data on behalf of another — for example, a cloud software provider handling your customer records. A data sharing agreement is used when two or more controllers share data with each other for their own purposes — for example, two businesses sharing a customer list for a joint marketing campaign. The legal obligations differ, so it matters which one you use.
What must a data sharing agreement include under UK law?
At minimum, a UK-compliant data sharing agreement should cover: the identity and role of each party, the categories of personal data and data subjects, the purpose and lawful basis for sharing, retention and deletion obligations, security requirements, breach notification procedures, and what happens when the agreement ends. If sensitive data is involved — health, financial, or biometric data — you should also consider whether a Data Protection Impact Assessment is needed.
Can I use a template data sharing agreement for UK businesses?
A template is a reasonable starting point, but it needs to reflect your specific situation. Generic templates often miss the lawful basis, get the controller or processor roles wrong, or use retention periods that do not match your actual practices. The ICO has published guidance on data sharing that is worth reading alongside any template. If you are using Atornee, the document is generated based on your inputs rather than a one-size-fits-all template.
Do I need a solicitor to draft a data sharing agreement?
For straightforward arrangements between UK businesses sharing non-sensitive data, a well-structured agreement generated with the right inputs is often sufficient. You should involve a solicitor if the data is sensitive, the sharing involves international transfers, the commercial stakes are high, or there is any ambiguity about who controls the data. Atornee is honest about this — it helps you get to a solid draft quickly, but it is not a substitute for legal advice in complex situations.
What happens if we share data without a data sharing agreement?
If the ICO investigates a data breach or complaint and finds you were sharing personal data without a documented agreement, it weakens your position significantly. You may face enforcement action, fines, or reputational damage. Beyond regulatory risk, the absence of an agreement means there is no clear record of what was agreed — leaving you exposed if the other party misuses the data or disputes their obligations.
Related Atornee Guides
Cheap Contract Solicitor Alternative (UK)
Useful if you want to understand how Atornee fits into your broader contract workflow beyond data sharing.
Cheap Solicitor for NDA (UK)
If confidentiality is also a concern alongside data sharing, pairing an NDA with your data sharing agreement is worth considering.
Atornee Use Cases
See how UK founders and operators use Atornee across different business and compliance scenarios.
External References
ICO Guidance for Organisations
The ICO is the UK data protection authority. Their guidance on data sharing is the primary reference for what regulators expect.
UK Legislation
Primary statutory source for the Data Protection Act 2018 and UK GDPR as retained in UK law.
GOV.UK Business and Self-employed
Official UK government guidance on business operations, including data protection obligations for UK businesses.
Trust & Verification Policy
Authored By
Atornee Editorial Team
UK Data Protection and Contract Research
Reviewed By
Compliance Review Desk
UK Business Legal Content QA
"This content is based on analysis of UK GDPR, the Data Protection Act 2018, and ICO published guidance on data sharing arrangements. It reflects the practical questions UK founders and operators ask when setting up data sharing arrangements with suppliers, partners, and processors."
References & Sources
Ready to generate your document?
Review, edit, and export your legal document in minutes. Stop wasting time reading templates from 2010.
Generate Data Sharing Agreement Now- No hidden fees
- Instant PDF/Word Export
- Lawyer Reviewed Templates
By continuing, you agree to our Terms. This is AI-generated guidance, not legal advice.