Jocelyn S Paulley
Partner
Co-Head of the Retail Sector (UK)
Co-lead of Data Protection and Cyber Security sector (UK)
Article
12
Business-to-business (B2B) data sharing with all its benefits is only possible if organisations comply with their privacy and cyber security obligations. Otherwise, any potential gains will be outweighed by business disruption, reputational damage and – in the worst cases – regulatory penalties.
Most businesses are aware of this risk. Privacy concerns are the most common reason for businesses not sharing data, according to a survey by technology consultancy Everis. Indeed, many are perhaps being overly cautious: the belief that "data protection law stops all organisations and businesses from sharing personal data" is a commonly held myth, according to the UK Information Commissioner's Office.
However, businesses wanting to share data do face a range of risks, from breaches of privacy regulations and data protection laws, to falling victim to a cyber attack.
As businesses deal with ever-larger volumes of data, the chances of an inadvertent privacy breach also grow. There are particular risks around sharing data blended from other datasets and incorporating personal data into those products or services.
And over the last decade, the threat from ransomware – where companies are denied access to their data until they pay to decrypt it – has increased to the point that it is among boards' top security concerns.
Nonetheless, businesses can mitigate both privacy and security risks through training, infrastructure investment, and, above all, careful planning and a good understanding of their data assets. If such steps are undertaken correctly, privacy and cyber security risks should not stand in the way of effective B2B data sharing.
To understand how privacy rules might apply to a B2B data sharing initiative, businesses must first establish the nature of the data to be shared: they need to know which data is 'open' and can be used freely, and which is confidential. And, under privacy legislation, including the EU and UK's General Data Protection Regulation (GDPR), they need to distinguish between personal and non-personal data.
"As you would expect, there absolutely needs to be a focus on the privacy aspects," says Helen Davenport, a partner at Gowling WLG and co-lead of the firm's Data Protection and Cyber Security practice. "Does this involve personal data? If it does involve personal data, how are we going to go about that?"
If data is personal, then business must follow the seven key principles set out in Article 5 of the UK GDPR, which state that personal data must be processed lawfully, fairly and transparently. These rest, in turn, on the lawful bases for processing, which need to be documented.
Organisations should determine the legal bases at the start of any data sharing project. "You need to ask whether you have lawful grounds for doing what you are going to do in the sharing of data," says Jocelyn Paulley, partner at Gowling WLG and co-lead of the firm's Data Protection and Cyber Security team alongside Davenport. "There are a set number of lawful grounds in the legislation. And there are additional lawful grounds if you're dealing with special category data. That's why you have to know what you're dealing with."
Businesses often rely on consent as the legal grounds for processing personal data, but this may not provide the most appropriate grounds if data is shared or repurposed. And there are practical issues, such as the need to renew consent after it has been shared and to ensure that third parties follow the rules.
Companies may instead rely on legitimate interest as the basis for sharing personal data. To do so in the UK, they need to apply a three-part test: are they pursuing a legitimate interest, is the processing of data necessary for that interest, and do the individual's interests override that of the company?
In future, this might change – drafts of the UK's upcoming Data Protection and Digital Information Bill spell out various legitimate interests. But for now, organisations sharing data need to show that they have categorised the data, followed the key principles and established the legal basis for sharing it. Failure to do so could put the organisation in breach of GDPR, leading to both reputational damage and regulatory penalties. Such penalties will be less severe when the company has taken due care.
Carefully categorising datasets plans to provide the Retail Energy Code Company, a UK non-profit that oversees selling practices in the energy market, the ability to share data more effectively, explains Pete Davies, director of data, technology and transformation.
"One project that we kicked off was to assess all data items the Retail Energy Code governs. We categorised individual data items as open, conditionally open, personal, and prohibited. The conditionally open category is important as it highlights that these items may become personal if they are blended with other data items, so judgement is required," he explains.
With a good understanding of data assets, data sharing can be used to consumers' benefit, Pete adds. Some information on households, such as their address, is treated as personal but other data, such as the type of meter it has, is not. This data can therefore be used by third parties for innovation, Pete explains, and is currently being used by the Retail Energy Code Company to counter energy theft.
Determining the legal status of data has also allowed SMMT Data Intelligence, a spin-out from UK trade body the Society of Motor Manufacturers and Traders (SMMT), to make the most of its assets.
"Because we hold the vehicle identification numbers, we are obliged to follow security guidance from the Cabinet Office," says Seftton Samuels, managing director of SMMT Data Intelligence. "The Cabinet Office has oversight of the handling of the datasets we receive from government agencies because it's deemed to be of national interest.
"We also have to fulfil regular privacy impact assessments on the handling of personal data," Samuels explains. "Those literally track the journey of the data from its source right the way through our systems."
The controls that SMMT Data Intelligence has in place to manage this data are now enabling the organisation to provide data services to third parties, including government and commercial interests.
"For personal information, we always insist on clarity on the data controller measures, Samuels says. "We look to build in security and compliance protocols and measures right from the outset." Following best practices from the outset lets the organisation add to its data services and stay compliant.
This discipline also empowers the organisation to use data from third-party services with confidence. "If we're handling data, obviously, we check we are satisfying any specific compliance requirements from that data source," says Samuels. "But if you're already operating at a high standard, then handling third-party data shouldn't bring incremental concerns."
In addition to protecting against privacy breaches, businesses embarking on data sharing initiatives must also guard against malicious attacks. Such initiatives, which bring together large volumes of information from multiple sources, make an attractive target for both criminal groups and nation-state actors. Businesses that depend on data sharing for their operations are at added risk from ransomware and other attacks that disrupt digital supply chains.
"It would be hugely difficult if an organisation is the recipient of shared data and then they were the subject of a ransomware attack, and then the shared data is the very data that the hacker is threatening to publish on the dark web if the ransom is not paid," warns Davenport.
Although no cyber security defences are infallible, considering security at the outset of any data sharing project will greatly reduce the risks. In fact, good practice in cyber security is a key enabler for driving more value from data assets.
Early planning has been crucial for the Pensions Dashboards Programme, a data sharing scheme being set up to give savers a single, online view of their pension holdings. "[The programme] recruited security experts fairly early in the whole programme, even before they procured the people to build the Dashboard," recalls Chris Connelly, chief strategy officer at Heywood Pension Technology, one of the firms building the dashboard.
The scheme follows a federated data model, meaning that participating organisations share access to their data, not the data itself. Securing the data therefore requires a different approach to building defences around a silo.
Connelly likens the federated data model to a spider diagram. "You try to secure all the legs of your spider, not just the body," he says. "You have to show how you have built the security throughout every single transaction." This extends to security around the application programming interfaces (APIs) that control the data transfer.
The key to ensuring security and data privacy when sharing data is to look at the risks in advance. When it comes to regulatory risks, this is made harder by the complexity of the relevant laws and regulations.
"This is a challenge, as the cyber security legal and regulatory landscape is a patchwork, and the challenge is exacerbated where the laws of multiple jurisdictions are relevant," says Davenport. Furthermore, she adds, "legal and regulatory requirements also often do not prescribe particular technical measures."
Legal and technical advice are both vital, therefore – especially before making any changes in business processes or launching new data sharing initiatives that could expose the business to new risks.
Equally important is collaboration across the organisation. "Taking a robust approach requires collaboration within a business, including input from legal, governance, risk management and compliance, and IT and security personnel," says Davenport.
Want to learn more about B2B data sharing? Read the other articles in our Data Unlocked series:
If you have any questions relating to this article, or data protection and cyber security in general, please contact Patrick Arben or Jocelyn Paulley.
You can also sign up to our mailing list to receive future data-related articles.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.