Legal · 14 min

Assess GDPR compliance risks in a proposed data-sharing agreement between two organizations

Archetype: Critic Tier 3

Context

Two organizations are entering a joint data-sharing agreement involving EU citizen personal data. The data protection officer must assess GDPR compliance risks before the agreement is signed, producing a structured risk assessment that the legal team can act on and that satisfies regulatory documentation requirements.

Before (Unstructured)

"Check if this data-sharing agreement is GDPR compliant."

What is missing

  • × No professional role established — who is conducting this assessment?
  • × Binary framing (compliant/not) misses nuanced risk landscape
  • × No specific data categories, volumes, or jurisdictions mentioned
  • × No analytical methodology — which GDPR articles to assess against?
  • × No evaluation criteria — how thorough should the analysis be?

After (MOTIVE-Structured)

[M] Motivation

As a data protection officer, I need to assess GDPR compliance risks because two organizations are entering a joint data-sharing agreement involving EU citizen personal data, and the legal team requires a risk-rated assessment before signing.

[O] Object

Deliver a risk assessment report with compliance gap matrix, risk severity ratings (High/Medium/Low), and prioritized remediation recommendations. Success criteria: (1) All relevant GDPR articles addressed, (2) Each risk rated by likelihood and impact, (3) Remediation actions assigned with deadlines.

[T] Tool

Use the ICO's Data Protection Impact Assessment methodology and GDPR Article 6/9 lawful basis analysis. Cross-reference with EDPB Guidelines 07/2020 on controller/processor concepts.

[I] Instruction

1. Identify all personal data categories in scope. 2. Assess lawful basis for each processing activity under Art. 6 and Art. 9. 3. Evaluate cross-border transfer mechanisms (Art. 44-49). 4. Rate each identified risk by likelihood (1-5) and impact (1-5). 5. If regulatory guidance is ambiguous, note as 'requires legal counsel review'.

[V] Variables

Jurisdictions: Germany, France. Data subjects: ~50,000 EU residents. Data types: Behavioral analytics, transactional records. Controller relationship: Joint controllers (Art. 26). Audience: Legal team and DPO. Format: Structured report with risk matrix. Exclude: Employee data, historical data pre-2020.

[E] Evaluation

Evaluate: (1) Legal accuracy 1-5, (2) Completeness of risk coverage 1-5, (3) Actionability of recommendations 1-5, (4) Regulatory citation accuracy 1-5. Flag any high-severity gaps immediately. If any criterion < 3.5, revise affected sections.

Output Comparison

Before Output

The data-sharing agreement should comply with GDPR. You need to ensure proper consent and data protection measures. Consider appointing a DPO and conducting a data protection impact assessment. Make sure transfers outside the EU have adequate safeguards.

Show full output
The data-sharing agreement should comply with GDPR regulations. You need to ensure that proper consent mechanisms are in place before sharing any personal data. It's important to have a lawful basis for processing and to be transparent about how data will be used. You should consider appointing a Data Protection Officer if you haven't already, as this is often required under GDPR. A data protection impact assessment should also be conducted to identify and mitigate risks associated with the data-sharing arrangement. For any data transfers outside the EU, make sure you have adequate safeguards in place, such as Standard Contractual Clauses or Binding Corporate Rules. You should also review whether the receiving country has an adequacy decision from the European Commission. Finally, make sure to document your compliance efforts and keep records of processing activities. Regular reviews of the agreement should be conducted to ensure ongoing compliance. Consider consulting with a legal expert specializing in data protection to review the agreement before signing.

After Output

Risk R-003: Cross-border transfer mechanism (Art. 46). Severity: HIGH. The agreement specifies Standard Contractual Clauses (SCCs) but does not address the supplementary measures required post-Schrems II for Germany-France data flows involving behavioral analytics. Likelihood: 4/5. Impact: 5/5. Remediation: Conduct Transfer Impact Assessment per EDPB Recommendations 01/2020. Deadline: Before contract signing.

Show full output
**Risk Register Summary** This assessment identifies 6 compliance risks across 4 GDPR domains for the proposed joint data-sharing agreement covering ~50,000 EU resident records (behavioral analytics and transactional data). Assessment methodology follows ICO DPIA guidance and EDPB Guidelines 07/2020 on controller/processor concepts. **Risk R-001: Lawful Basis (Art. 6(1))** Severity: MEDIUM. The agreement cites legitimate interest (Art. 6(1)(f)) for behavioral analytics processing but lacks a documented Legitimate Interest Assessment (LIA). Likelihood: 3/5. Impact: 4/5. Risk Score: 12. Remediation: Complete LIA with balancing test per EDPB Guidelines 06/2014 prior to agreement execution. Deadline: 30 days pre-signing. **Risk R-002: Joint Controller Arrangement (Art. 26)** Severity: HIGH. The current draft does not specify allocation of data subject rights responsibilities between the two controllers. Art. 26(1) requires a transparent arrangement designating which controller handles access requests (Art. 15), rectification (Art. 16), and erasure (Art. 17). Likelihood: 4/5. Impact: 4/5. Risk Score: 16. Remediation: Draft Art. 26 arrangement with explicit responsibility matrix. Deadline: Before contract signing. **Risk R-003: Cross-Border Transfer Mechanism (Art. 46)** Severity: HIGH. The agreement specifies Standard Contractual Clauses (SCCs) but does not address supplementary measures required post-Schrems II for Germany-France data flows involving behavioral analytics. While both jurisdictions are within the EEA, the behavioral analytics data may be processed by sub-processors outside the EU. Likelihood: 4/5. Impact: 5/5. Risk Score: 20. Remediation: Conduct Transfer Impact Assessment per EDPB Recommendations 01/2020. Map all sub-processor locations. Deadline: Before contract signing. **Severity/Likelihood Matrix & Next Steps** Critical (Score 15+): R-002, R-003 — must be resolved before signing. Medium (Score 8-14): R-001 — resolve within 30 days. Recommended: Schedule legal counsel review for all HIGH-severity items. Establish quarterly compliance review cadence post-signing.

Evaluation Scores

Average Before
1.5/5
Average After
5/5
Improvement
+233%
Goal Alignment25MOContext Appropriateness15MTVClarity25IVSystematic Iteration15E
Before MOTIVE (1-5)
After MOTIVE (1-5)

Key Improvement

The Tool component produced the largest quality impact by specifying ICO DPIA methodology and EDPB guidelines — replacing generic compliance advice with jurisdiction-specific, article-level regulatory analysis that meets documentation standards.

Next
Design a 12-week graduate-level curriculum on responsible AI governance