Navigating Data Rights: A Guide for Enterprise Sellers

Businesses selling products and services to large enterprises encounter buyers who are now more vigilant guardians of their data. These buyers demand assurances regarding the proper handling of their data before sharing it or authorizing the creation of data on their behalf. The means through which they ensure compliance are known as “data rights and obligations.” These rights and obligations materialize during the sales process through contracts managing the relationship between the parties, often referred to as Master Service Agreements (“MSAs”).

Smaller companies, facing an imbalance in bargaining power, are compelled to sign Master Service Agreements (MSAs) drafted by larger enterprise buyers. These extensive contracts delineate the rights and obligations of both parties. However, in the realm of enterprise B2B deals, the majority of these agreements establish rights for the enterprise buyer while placing obligations on the smaller seller.

Each section of the MSA reflects the intentions of various groups in the buyer’s organization, such as security or privacy teams. These groups have no interest in negotiating the obligations created for the seller because doing so represents risk to their function, with no upside for their group whether the deal is finalized or not. Sellers are left with few options:

(1) Walk away from the deal;

(2) Accept the MSA terms, neglect the specific obligations, and hope that the buyer won’t verify compliance;

(3) Accept the MSA terms and undertake the extensive work meet the specific obligations outlined

The drawbacks of options one and two are clear: lose the deal or take on significant risk. This makes option three the most viable choice, despite the challenge of fulfilling increasingly onerous MSA obligations. Common categories of challenging rights and obligations include data ownership, how data can be used and shared, security measures, retention and deletion, operational requirements, breach notification, compliance with regulations, and audit and reporting obligations.

This article zeroes in on three obligations where enterprise sellers have heightened their vigilance, particularly in response to the significant increase in incidents related to data use, data sharing, and audit.

Data Rights Provisions Limiting Internal Use & Sharing

Data rights that limit use and sharing can be elucidated through two dimensions: categories of data and the purpose of use. Common data categories encompass contact information, financial data, and sensitive categories like personal health information. Examples of typical purposes include communication, billing, or providing the service. The greater the number of categories and purposes contractually excluded from use, the more challenging it becomes for a seller to fulfill the requirement.

The diagram below serves as an illustrative tool to understand the difficulty of meeting data obligations. The hardest data obligations to meet are in box one, where many categories of data are restricted from many uses. A common instance of box one involves an obligation that strictly prohibits the use of any data categories for purposes other than providing the service. This can pose significant challenges, especially when sellers rely on a shared data platform and lack the capability to create dedicated software instances.

At the opposite end of the spectrum, in box three, a more manageable data rights obligation may restrict from the use of one category of data for one purpose. A common example is not to use personal health information for advertising in healthcare. An example of box two is restricting all categories of data from being used to train algorithms. An example of box four is to restrict the use of personal health information from any purpose other than to provide the service.

When sellers negotiate a single MSA, they might be able to devise a unique workaround or manually ensure compliance with an obligation. However, the challenge intensifies when dealing with scale, where each enterprise customer presents custom MSAs with diverse data rights and obligations. This complexity is depicted in the diagram below, where the seller has entered into 24 agreements with companies A-Z. The sheer diversity of these obligations makes it nearly impossible to track all of the requirements, let alone to efficiently operationalize them.

Effectively managing and automating the complexity of meeting these obligations requires a new piece of infrastructure. We call this piece of infrastructure a “system of record for data context.” This system of record must capture knowledge about where data came from, why you have it, and ultimately what you can do with it. With this knowledge, manually processes can be replaced with real-time automated policy enforcement to ensure that as data is used and shared it’s done so compliantly in line with all MSA obligations.

Audit and Reporting

In the absence of a system of record for data context and automated enforcement, audits and reporting are costly and time-consuming endeavors. Companies tasked with an audit can often show that the rules were written down, but have no way of showing that the rules for data use and sharing were respected inside of systems without reconstructing historical data use and sharing with tools like data mapping.

With a system of record for data context and automated policy enforcement in place, it becomes possible to enable real-time audits. Instead of attempting to manually recreate a historical view, auditors can be given access to a BI tool that shows in real-time the rules that were in place, how their data has been used and shared, and the details of policy decisions that lead to permitted and denied use and sharing.

At Tranquil Data, we have built the first system of record for data context described above. It captures all versions of policies, connects those to metadata about data across services, and relates this to knowledge about an individual’s attributes and relationships over time. The result is a graph dataset that speaks with integrity to the context of where data came from, why you have it, and what you may do with it. This knowledge is input to real-time, policy-driven enforcement within the data platform, providing a transparent audit trail that proves correct use in real-time.

In the view below, Google in their role as an employer / sponsor has signed an agreement to offer their employees a new digital health offering. The knowledge created in Tranquil Data’s software has been exported to a BI tool. Google has been granted access to this dashboard so that they can verify in real-time that their MSA data obligations have been met by the digital health company.

The transparency unlocked with a system of record for data context, automated enforcement, and transparent real-time auditability enables sales teams to use this capability on offense by showing prospects from day one that they can be counted on as a trusted steward of customer data.

If meeting data rights provisions in contracts is a challenge we would love to talk info@tranquildata.com