due diligence: third party data vendors · third party data •third-party data is generated by...
TRANSCRIPT
Due Diligence: Third Party Data Vendors
First Party Data
• First-party data is YOUR data, collected from your own audience and customers. This can include data from: • Behaviors, actions or interests demonstrated across your website(s);
• CRM data;
• subscription data;
• social data that you have rights to;
• or cross-platform data from mobile web or apps.
• High Value
• High Quality
• Safe
Third Party Data
• Third-party data is generated by another company, on other platforms, and is often aggregated from online or offline sources.
• There are many companies out there that sell third-party data, and it is accessible through many different avenues.
• It is much higher-risk than first party data because you lack control over privacy and data collection practices.
Special Challenges for 3rd Party Data
• Industry Norms are deficient and outdated.
• Historical reliance on contracts is not sufficient for mitigating risk
Reduce liability
Reputational risk?
Risk of getting dragged into litigation?
Must VALIDATE what is being represented and warranted in the contract.
• Vendor Risk Tolerance vs. Your Risk Tolerance
• Credentialing the data, not just the vendor.
• Laws and self-regulatory guidelines are often behind the curve.
4 Steps: Vendor & Data Due Diligence
1. Credential the Vendor 2. Credential the Data 3. Permission the Data 4. Ongoing Due Diligence
Credentialing the Vendor
• Assess the Risk: Classify the vendor based on level of risk. • Type of data, company size, reputation, memberships, sophistication,
understanding of privacy concerns, years in business, etc.
• Conduct due diligence to verify incorporation, memberships, complaints, open litigation, etc.
• Conduct a security assessment on the data delivery method.
• Identify the sub-vendors/data sources
Credentialing the Data
• Risk-based approach based on the type of data and data collection.
• First, understand the data’s origin. Government or public records, publicly available data, self-reported
data, data from consumer-facing commercial entities, etc.
• Is the vendor a collector or an aggregator?
• Licensing Rights - Investigate whether the vendor has the legal and contractual rights to transfer the data for its intended purpose. • Where applicable (data aggregators), request redacted contracts terms
demonstrating rights to license the data or create derivative products.
Credentialing the Data Second, you must understand the privacy, legal, self-regulatory, and corporate burdens that must be met based on the type of data and method of data collection.
1. Privacy: Is notice and choice required? Is it sufficient?
2. Legal: Do any industry-specific laws apply?
• HIPAA, GLBA, FCRA, public records laws, etc.?
3. Self-Regulatory: Do any specific self-regs apply?
4. Corporate: Do any internal corporate policies or best practices apply?
• Corporate ethics
• Risk tolerance considerations: legal, reputational,
• Specific corporate policies
Credentialing the Data
Third, once you know the burdens that must be met, validate that they have been met.
• Validate the vendor’s representations.
• Contracts are NOT enough!
• Can you trust the vendor’s representations? NO! (trust me)
• Difficult task for data aggregators.
• Consider the “consumer experience.”
• Privacy and licensing permissions follow the data.
Credentialing the Data
• Fourth, permission the data for use based on what you’ve learned.
• Privacy permissions and licensing rights follow the data.
• Conduct periodic assessment of permissions.
The Contract
The data licensing agreement (contract) should reflect what you’ve learned.
Reps and warranties about the data and data collection.
Permitted uses of the data.
Ongoing Due Diligence
• Perform ongoing due diligence for the vendor, the data, and your use of the data. Annual re-certification
Due diligence at contract amendment and renewal
Internal audit of data use
Best Practices: Credentialing Questionnaire
• To start the due diligence process, develop a questionnaire to gather information about the vendor, the data, and the data’s collection.
• Saves time and identifies key issues and questions to be addressed.
Best Practices: Credentialing Questionnaire
Information about the VENDOR
1.Company name, address, website, contact person, etc.
2.State of incorporation.
3.Number of years in business.
4.Company size.
5.Corporate memberships and associates (e.g., IAPP, DAA, NAI, DMA, etc.).
6.A copy of the vendor’s consumer-facing privacy notice.
7.Has the company been part of a government inquiry or investigation in the last 12 months?
8.Pending litigation?
9.Consumer Affairs complaints?
Best Practices: Credentialing Questionnaire
Information about the DATA
1.A detailed description of the data/file.
2.A complete list of the data elements.
3.Is the vendor the original collector of the data or a data aggregator?
4.The original points of collection and the method of collection for the data.
5.In what country(ies) is the data collected and stored?
6.A copy of or link to every privacy policy (governing the collection, use, and transfer of the data) under which the data has been collected.
Best Practices: Credentialing Questionnaire
Information about the DATA 7. If data is collected online, a complete list of URLs (conduct a due diligence
review of those URLs). 8. Notice: If the data is about individuals, is a privacy policy made available
at the point of collection that includes information about the collection, transfer, and use of the individual’s information? Can those privacy policies be provided for review?
9. Choice: If the data is about individuals, do you (or the data collector) provide a mechanism by which the individual can exercise choice to “opt-out” or prevent transfer of their data to third parties?
10.Does the data contain any information on children/minors? If so, under 18? Under 13?
Best Practices: Annual Data Re-Certification
• Approved vendors should be contractually required to complete an “Annual Data Re-Certification” to ensure that the data collection methods of the data partner have not substantially changed and still meet all applicable requirements.
• Questions should be similar to the certification questionnaire and reviewed for changes.