One of the biggest concerns we have when we talk to clients about how to create data partnerships is the security and protection of data. We don’t mean cybersecurity and the literal safeguarding of information, though that’s undoubtedly essential too. Instead, we’re talking about ensuring that datasets are used only as appropriate, are kept within the bounds of agreements, and are the source of rights (and revenues) promised when the partnership began. At the outset, no one wants to assume that their business partner is going to welch on an agreement, but the fact remains that they do, sometimes. It’s why having a lawyer around can be useful.
This is why you have to build specific provisions for safeguarding data into your data partnership agreements. These explicit approaches help deter bad actors as well as keep even the most well-intentioned partners from straying later. Often, the people who create or negotiate a data partnership are not the individuals that will build the integration, oversee its deployment, or monitor the financial relationships it creates. And the longer a partnership is in place, the more likely it is that the people who set it up originally won’t even work at those companies anymore. Because of this, you should use the tactics below to ensure the protection you intend for each partnership.
If It’s Important, Get It In Writing
It should go without saying, but too often, it doesn’t: The contract you execute with your partners needs a thorough legal review and depending upon which data partnership structure you are entering into (mutually beneficial, innovator, or channel), your contract needs to preserve your ability to protect your data assets and your business reputation. Focus on the ways that data can and cannot be used rather than just the technical discussion surrounding the methods of delivery. Too many contracts in the data world spend inordinate amounts of verbiage on the data transfer method, because the IT department has hijacked the legal documentation. Remember, if it was FTP yesterday, and API integration now, in 10 years, who knows, it could be a holographic handshake.
The point is, your contract can state a mutually-agreeable approach to data transfers, but it should focus far more on data usage, rights, and access. In general, a data agreement should outline its specific purpose clearly. For example, you may be providing data for quality purposes, for matching purposes, or for the creation of a derivative dataset that combines your data with the partner’s data. Each of these are examples of specific use cases that determine the partner’s permissible uses of the data. Be mindful, in particular, of derivative data rights.
Keep it Secret, Keep it Safe
Next, focus upon the confidentiality of terms in the agreement, including pricing. The contract itself is confidential but be sure the language specifically outlines how your relationship with each data partner is confidential. Remember that confidentiality is about far more than just limited access, as well. Although a particular data set may not itself have been disclosed to a third party, if proper use restrictions or metadata controls are not in place it can be very easy to work backwards to identify protected information. This is particularly important given how easy it is to re-identify supposedly “anonymous” or “de-identified” datasets of protected or sensitive data.
Along those lines, confidentiality and safeguarding data also has a highly important regulatory aspect as well. With legislation like GDPR, the California Consumer Privacy Act, or the wide array of regulatory requirements put in place each year, you must ensure that your data partners adhere to all applicable regulations as they handle your data, or you handle theirs. Going down with the ship is not a great strategy here, and we recommend that your DPO review your data partnership contracts as part of your company-wide dedication to compliance.
There are too many terms and potential caveats to name when discussing legal protections for your data partnership. That said, don’t let your legal team or your partner’s legal teams derail a great opportunity. The best attorneys we have worked with have been open and honest about their lack of topical knowledge when it comes to their clients’ data, so they tend to accept their role as identifying the security and privacy issues and not necessarily the nitty-gritty detail of datasets or data security.
Reporting and Audit Rights
What do you need to confirm that the data partnership is working? You need agreed-upon parameters that outline success, including reporting on metrics like records viewed, fields downloaded, matches made, or customers signed. Your contracts should require a meeting between the two partners, at least quarterly and ideally face-to-face, to review the progress and reports from the partnership together. These meetings are well worth the effort and help to maintain a healthy relationship. Remember, there is no shortage of datasets these days, so maintaining a transparent reporting regime with your partners through face to face meetings is imperative.
Audits are important too. Companies dislike audits. Many a data partnership has died on this hill because one of the companies refused to give or get the right to audit their partners’ use of their data. To be fair, a data audit is usually not nearly as difficult or intrusive as a financial or accounting audit but many lawyers don’t understand the difference. Depending upon the total value of the data partnership, audits may not be worth it. That said, the rights to bring your data audit team to a partner to ask for simple access controls, use cases, and account verification are reasonable, particularly in mutually beneficial data partnerships where the partners are similarly situated in size and reputation.
Weigh the value of this right against the cost. You may find that a compromise is possible, not through a typical audit, but through the less disruptive right to scrape or crawl a partner’s platform. Normally, the process of crawling and scraping, in which a partner uses a bot to read all the structured data on a page and stores it for their own use, is a touchy subject. In this case, you can get valuable insights from identifying the usage of your data within the partner’s platform. We have seen this approach work to generate “audit-like” data on the usage of your data, so long as you agree not to retain other data gathered from the scrape.
There are a wide array of other tools and methodologies to deploy in defense of your data — any number of which will help you protect the value of your data partnership. The point is not that any one of them is most important, but rather that any of them are worth considering. It’s only when you take data, privacy, data protection, and business strategy together as a unified whole that you’ll be able to craft the approach that best suits you, and that allows you to meaningfully find the kind of data leverage every company is looking for.