TECH MATTERS

Data Monetization: Understanding and addressing the legal and regulatory challenges

In the Tech Matters Series, we will, in collaboration with leading corporate personalities from the global tech ecosystem, consider the latest in technology law and disputes, trending challenges faced by technology companies, and other technology related issues. The series will cover a diverse range of topics. For the inaugural piece in this series, we consider perspectives on data monetization with Ms Nishtha Kharb Shukla, Director of the Association of Corporate Counsel.

The phenomenon of Data Monetization

Data has overtaken oil as the most valuable asset on Earth, as reported by the Economist. Your personality, and behavioural traits, is now the most lucrative commodity out there. Global businesses may have unknowingly accumulated tonnes of data over the years. They may even have data which they are unaware of – such as metadata (data about data).

Those who discovered this potential source of wealth are increasingly looking to exploit these data, as data analysis can help businesses adapt to ever-changing market needs and gain better insights into consumer behaviour. Indeed, international businesses are gaining cognizance (not always with a full understanding of the legal implications) that data can be an asset that may be sold like any other product. This trend is otherwise known as “data monetization”, which refers to the efforts that businesses undertake to extract value from their data assets.

Data assets can generate revenue in three ways. It can be sold directly. It can allow companies to create proprietary products that can be sold, or it can be accumulated and adjusted, giving rise to information (for example, user activity and transaction data).

Challenges facing the monetization of personal data

Amongst the various kinds of data assets, personal data has the most potential to generate revenue for businesses. Personal data, however, poses a series of challenges that must be understood and addressed by businesses if it wishes to legitimately and effectively monetize such data assets.

Personal data is subject to a broad range of requirements including privacy and data protection regulations, and the commitments that organizations may have made to data subjects in their privacy notices, contracts, and other instruments. Such requirements and commitments place limitations on what and how personal data can be used, collected, and disclosed.

Businesses therefore have to consider the following legal and regulatory aspects of data monetization:

• Regulatory Requirements

A key challenge that regional or global corporate counsel would face would be to ascertain which regulatory framework would be applicable, and the extent in which other frameworks may apply. It may not be easy to reconcile the standards imposed by local data protection regulations with the standards imposed by other, overseas data protection regulations as may be applicable. At any one point in time, more than one set of standards may apply. For example, a South East Asian based branch of a global company may be collecting and managing personal data of European or British nationals, in which case the GDPR could apply on top of the local regulations. At the same time, compliance with a set of standards does not necessarily mean the other sets have been complied with. 

Under an applicable set of regulations, businesses may have the obligation to inform the data subjects about the purposes for using their data, and from what source they obtained the information. Businesses may also have to advise the individual about their right to object to the use of their personal data for direct marketing purposes. The individual should also have the right to access the information relating to themselves, to correct any erroneous information, and in certain circumstances erase the profile or personal data used to create it.

Additionally, businesses have to consider a range of methods to mask, modify or de-identify some of the personal data elements to accommodate the monetization process.

• Contractual sources of risk

In the process of data monetization, it is fundamental for businesses to be able to distinguish between business data and personal data, for each would require different treatment under the applicable laws.

Where the data is not personal data but business data, care must be taken not to breach the counterparty’s rights of confidentiality, proprietary assets, and business, trade secrets, with respect to the laws of the relevant country. Commercial agreements may also seek to restrict the use and disclosure of personal data. Such contractual restrictions may be buried in ownership or confidentiality provisions.

On the other hand, contracts may include stealthy clauses such as “we may use data that you provide to use to improve our services and for other business purposes”, and “you agree to provide us copies of any data that you possess regarding…”.

As such, a close review of existing contracts should be performed to determine the parameters of relevant restrictions, and how they affect intended uses. Additionally, businesses should decide how they want and need to use data, and ensure that future contracts are negotiated accordingly.

• Escalation protocols

Data Security is People Security. A corporation can have all the relevant double firewalls, encrypted network that survived several rounds of independent penetration testing, seemingly perfect password hygiene, and technically “cyber-secured” platforms, but it just takes one human error for a small virus to infect an entire global network.

Indeed, data security is not merely about compliance with regulations or being technically secure. Data security is a mindset. It requires the entire corporate culture of a company to be attuned to the proper treatment of personal data; and this means the relevant responsibilities lie not only with the assigned data protection officer of a company, but also with personnel across the whole corporate chain.

Accordingly, there should be adequate escalation protocols in place, including the relevant whistleblowing protections, for any data leakage to be escalated expediently.

The complexity is enhanced when the data leak occurs in one of the subsidiary or sister companies sitting in an overseas jurisdiction, which may impact upon the other companies in the same family group. The companies seated across different jurisdictions may have differing reporting obligations as required under the applicable regulations.

What companies should consider when preparing for data monetization

To prepare for data monetization, businesses also need to consider what is its data business model, and whether it has the requisite resources to execute a data monetization strategy. Business may consider the following:

• Locate all identifiers: It is important for a business to select the appropriate set of tools to scour its data repositories, such as those in cloud repositories and Internet of Things network. There are tools on the market that have varying capabilities which companies can employ to find out where their personal data assets are located, and what specific data elements are contained in these repositories.
• Matching the identifiers to the right identities: The next step would be to consolidate these data elements with the right identity. In the process of doing so, businesses have to factor in regulatory considerations and privacy-related requirements, and can consider sanitizing its data via techniques such as filtering, cleansing, pruning and conforming.
• Applying the right metadata to the identities: Businesses would then have to associate the identities with the metadata that their data processing generates. Metadata (ie. data about the data) can contain important information that can help the company address a variety of issues including data quality, regulatory restrictions, and obligations the company has to the data vis-à-vis contracts, privacy notices and/or consents related to the use of the data. Such information will help companies identify which data elements or records should be de-identified or anonymized prior to data aggregation or prior to conducting data analytics.

What this means for your business

It is apparent that more and more businesses are turning its data monetization strategies from a back-office technical function, to a critical driver of business transactions and customer experience. It is therefore important for businesses, in achieving their data monetization goals, to obtain legal advice so as to be kept up to date and be in compliance with the legal and regulatory framework for data privacy compliance.