Guide: Essential Enterprise Data Protection

Data Sharing and Third Parties

As more organizations seek to transform data into value, companies that directly exchange data with select partners are gaining traction. Third-party data can add significant value in such arrangements.

In the financial services industry, for example, providers have traditionally relied on third-party data to send pre-approved offers to consumers. Today, savvy marketers are relying on non-bureau-based second-party data to deliver insights. A credit card issuer who wants to increase sign-ups for its co-branded card with retail partners can purchase transaction data in order to identify the retailer’s frequent shoppers and combine this data with its first-party consumer data to identify which consumers lack a co-branded card. It can then share this data with the retail partner under the terms of their agreement and, together, deliver more relevant co-marketing to these loyal customers

It’s not uncommon for an enterprise to share data with 500 third parties across different functional areas from marketing to customer service to supply chain.

What is a Third-Party Data Sharing Vendor?

A third-party data sharing vendor is a business entity that does not have direct relationships with your customers (first party) but has an agreement with your company (second party) to provide new data or analyze existing internal data. Oftentimes, third-party data is from a variety of web platforms that is collected, cleaned, and consolidated by a third-party data provider for the purpose of enriching existing data sets collected by your company.

What Is an Example of a Third Party?

Some examples of third-party data sharing vendors include:

  • Suppliers
  • Distribution channels Partners and resellers
  • Network Security tools
  • Monitoring solutions
  • Customer Relationships Management (CRM) tools
  • Digital marketing systems
  • Employee and customer screening and reputation services
  • Media agencies

What Is Third-Party Data Sharing?

Third-party data is any user information collected by an entity that does not have a direct relationship with that user. Often, third-party data is collected from a variety of websites and platforms and then aggregated by a third-party data provider such as a DMP.

What Is a Data Sharing Agreement?

A data sharing agreement is a legal document laying out the contractual terms and conditions agreed upon by participating parties. It typically includes a specific description of the data being shared, license grants, limited use restrictions, required data protection safeguards, and privacy and identification related guidelines.

What Is Third-Party Risk?

Third party risk involves the following factors:

  • Data breach – if a data breach occurs at one of your third party partners, the data you have shared may be compromised or exposed.
  • Rapid response – in most cases a data breach will be followed by a rapid response process driven by the organization’s data privacy team. When multiple parties are involved, this process becomes more complicated.
  • Non-mature data governance practices – you have little control over the practices and maturity levels of your third party partners, which may result in lower standards of data protection programs.
  • Loss of control – data is a transient object, it’s being moved and aggregated by different backup systems or data pipelines and may end up in the hands of subsequent parties who have no legal obligations to you (fourth or fifth parties).
  • Traceability – tracing data back to its origin is complex, time consuming, and may rely on variables outside your control (e.g. tools, logs, and retention periods). This process is hard to accomplish within your enterprise environment and almost impossible when multiple parties are involved

How to Mitigate Third-Party Risk and Why It is Important

  • Focus on sensitive and personal information – separate between third parties who you share sensitive data with and those who you do not.
  • Make de-identification the default – shared data is always de-identified. Anything else should be the exception (and not the other way around).
  • Know your third-party data flows and keep an inventory – continually track which third parties use your data.
  • Know which business process depends on third party partners – doing so enables conducting impact analysis and removal of third parties without disrupting normal business operations.
  • Frequently review your policy – make sure to remove obsolete third party partners and avoid data proliferation.
  • Implement a fourth-party notification process – make sure to treat fourth party partners like any other third party partners to avoid losing control.
  • Actively manage risk – make sure your board-of-directors and executive team understand the need for data sharing and the associated risks. This precaution will help you maintain the required resources to keep data safe.

Satori Enables Secure and Simple Data Sharing

Satori enables your data owners to easily share data on any database, data warehouse or data lake with data consumers. This is done while keeping sensitive data secure.

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.