The Essential Enterprise Data Protection Guide

Data Sharing and Third Parties

As more organizations seek to transform data into value, companies that directly exchange data with select partners are gaining traction. Third-party data can add significant value in such arrangements.

In the financial services industry, for example, providers have traditionally relied on third-party data to send pre-approved offers to consumers. Today, savvy marketers are relying on non-bureau-based second-party data to deliver insights. A credit card issuer who wants to increase sign-ups for its co-branded card with retail partners can purchase transaction data in order to identify the retailer’s frequent shoppers and combine this data with its first-party consumer data to identify which consumers lack a co-branded card. It can then share this data with the retail partner under the terms of their agreement and, together, deliver more relevant co-marketing to these loyal customers

It’s not uncommon for an enterprise to share data with 500 third parties across different functional areas from marketing to customer service to supply chain.

What is a Third-Party Data Sharing Vendor?

A third-party data sharing vendor is a business entity that does not have direct relationships with your customers (first party) but has an agreement with your company (second party) to provide new data or analyze existing internal data. Oftentimes, third-party data is from a variety of web platforms that is collected, cleaned, and consolidated by a third-party data provider for the purpose of enriching existing data sets collected by your company.

What Is an Example of a Third Party?

Some examples of third-party data sharing vendors include:

  • Suppliers
  • Distribution channels Partners and resellers
  • Network Security tools
  • Monitoring solutions
  • Customer Relationships Management (CRM) tools
  • Digital marketing systems
  • Employee and customer screening and reputation services
  • Media agencies

What Is Third-Party Data Sharing?

Third-party data is any user information collected by an entity that does not have a direct relationship with that user. Often, third-party data is collected from a variety of websites and platforms and then aggregated by a third-party data provider such as a DMP.

What Is a Data Sharing Agreement?

A data sharing agreement is a legal document laying out the contractual terms and conditions agreed upon by participating parties. It typically includes a specific description of the data being shared, license grants, limited use restrictions, required data protection safeguards, and privacy and identification related guidelines.

What Is Third-Party Risk?

Third party risk involves the following factors:

  • Data breach – if a data breach occurs at one of your third party partners, the data you have shared may be compromised or exposed.
  • Rapid response – in most cases a data breach will be followed by a rapid response process driven by the organization’s data privacy team. When multiple parties are involved, this process becomes more complicated.
  • Non-mature data governance practices – you have little control over the practices and maturity levels of your third party partners, which may result in lower standards of data protection programs.
  • Loss of control – data is a transient object, it’s being moved and aggregated by different backup systems or data pipelines and may end up in the hands of subsequent parties who have no legal obligations to you (fourth or fifth parties).
  • Traceability – tracing data back to its origin is complex, time consuming, and may rely on variables outside your control (e.g. tools, logs, and retention periods). This process is hard to accomplish within your enterprise environment and almost impossible when multiple parties are involved

How to Mitigate Third-Party Risk and Why It is Important

  • Focus on sensitive and personal information – separate between third parties who you share sensitive data with and those who you do not.
  • Make de-identification the default – shared data is always de-identified. Anything else should be the exception (and not the other way around).
  • Know your third-party data flows and keep an inventory – continually track which third parties use your data.
  • Know which business process depends on third party partners – doing so enables conducting impact analysis and removal of third parties without disrupting normal business operations.
  • Frequently review your policy – make sure to remove obsolete third party partners and avoid data proliferation.
  • Implement a fourth-party notification process – make sure to treat fourth party partners like any other third party partners to avoid losing control.
  • Actively manage risk – make sure your board-of-directors and executive team understand the need for data sharing and the associated risks. This precaution will help you maintain the required resources to keep data safe.
Scroll to Top