The Gibraltar Regulatory Authority ('GRA') announced, on 18 August 2021, that it had published its Data Sharing Code of Practice. In particular, the code provides detailed guidance and good practice for the sharing of personal data between organisations and provides a general framework which organisations can use to develop their own data sharing arrangements and ensure compliance with the Gibraltar General Data Protection Regulation ('the Gibraltar GDPR') and the Data Protection Act 2004. Furthermore, the GRA highlighted that the code provides organisations with information on how they can share personal data in a fair, safe, and transparent manner and guide them through the practical steps they need to take to share personal data while protecting individuals' rights and freedoms.

Notably, the code addresses circumstances in which data sharing requires the carrying out of a Data Protection Impact Assessment ('DPIA'), and recommends that organisations carry out a DPIA, even if they are not legally required to do one, as this will allow organisations to demonstrate compliance with data protection and ensure fairness and transparency, which will promote trust in the proposed data sharing. In addition, the code recommends that organisations implement data sharing agreements, whilst also detailing the advised content for such agreements. Further to this, the code outlines that data sharing agreements, though not providing full immunity from violations of data protection law, will be taken into consideration where a breach of the law occurs and may therefore mitigate the risk of enforcement action.

You can read the code here.