Like the issue of IP ownership in newly developed work, data rights have received considerable attention in many technology negotiations. Obviously when we address data privacy, we see a vast and evolving range of regulations throughout the world have been developed to clearly define and protect the rights of natural persons in data. If data can be linked to that person, name, address, email address, SS#, credit card number etc. that natural person, often referred to as Data Subject, has a very definitive set of rights. In the US, states like California are in the process of implementing privacy regulations that will emulate much the GDPR framework when it goes into effect next year. In the US nationally there are certain market specific regulations that are focused on very specific data that protect health information, credit card processing and financial information.” If you are a vendor and your customers are requesting information on your company, its security processes and compliance audit reports, like a SOC II report, you probably want to carefully control who has access to that data and how it is used.
Some SaaS Services include the right to use data feeds provided from their vendors under license. So, their SaaS license includes and imbedded sub-license that allows their customers to use the third-party data for the specific purposes set forth in the license during the license term. In that context, the value of the data provided is very time sensitive. As a result, your ability to use the SaaS generated reports is typically provided without warranty, and even then, only offered for verification of prior compliance due diligence.
When you provide data, whether that data is personally identifiable information or just commercial data on your business, you may want to look the regulations like the EU General Data Protection Regulations for a framework of rights that you might want to reserve in that data. Firstly, that data should be limited to a specific purpose, only that data that is necessary for that purpose should be provided, its use should be for a limited period of time and it should be returned or destroyed when that use is completed; in GDPR that is referred to as data minimization by design. Before proving that data you might also reserve the right to withdraw that data, a right to correct that data, and also require the party that you give that data to provide an accounting of whom that data has been shared with. You want to control the data that is being made available on you or your company to the greatest extent possible, these precautions are necessary to ensure that the data is used properly and to insure that data remains accurate, complete and secure.
We represent buyers and sellers of IT products and services, Cloud based SaaS offerings and software licensing matters. If you or the organization you work for is tired of trying to develop, negotiate and/or modify consulting contracts, licenses, SOWs, HR Agreements, and other business related financial transactions. Please contact me for a free consultation.