How to grant secure access to sensitive data

A decade’s worth of digital transformation was shoehorned into 2020 due to widespread lockdowns and the need for people to work, shop and entertain themselves remotely.

Accelerated digital transformation has many flow-on effects, but one of the most significant is that far more data gets collected. And as Big Data gets even bigger, organisations have more capacity to leverage that data to drive efficiencies, raise productivity, lower production and supply chain costs, increase sales and create new goods, services and industries.

But only if that data can be safely shared with the right people, and transferring data securely is no simple task.

In this article, we’ll highlight the dangers of sharing data in an unsecured manner and show you how your organisation can share data in a secure, governed and effective manner.

Dangers of insecure data sharing

Sharing data in an insecure manner is a huge potential risk to organisations given that any business that fails to collect, store, share and delete data appropriately risks the following:

Legal and financial penalties

The Big Bang of data privacy was the European Union introducing GDPR (General Data Protection Regulation) in mid-2018. Even if they don’t need to be GDPR-compliant, businesses all across the globe now have to comply with increasingly stringent regulations. And shell out large sums if they are found wanting. (Google, H&M, Telecom Italia, British Airways and Marriot have had to pay data breach fines ranging between US$20,000,000 – US$55,000,000 since the GDPR came into effect.)

Reputational damage

While some large businesses may be able to shrug off court cases and multimillion-dollar fines, they will face an existential threat if their customers start to believe they can’t be trusted with sensitive data. The classic case study here is Facebook, particularly in relation to its decision to share its users’ data with Cambridge Analytica.

Why giving secure access to data is important

Not unreasonably, C-suite types have long erred on the side of caution when it comes to sharing data. With some notable exceptions, the standard approach of senior business leaders has to been to eschew ‘data partnerships’ and keep their internal data carefully guarded, only granting select employees access to it.

This ‘pull up the drawbridge’ approach was becoming untenable even before the pandemic arrived in early 2020 and will become near impossible in the months and years to come.

As observers ranging from PwC to McKinsey have convincingly argued, the pandemic accelerated digital transformation and amplified disruptive forces. In an increasingly fast-moving and volatile business environment, late adopters of Artificial Intelligence (AI) and Machine Learning (ML) risk being outcompeted by their more tech-savvy rivals.

Elizabeth Hickey, Data Republic’s Customer Success Manager, argues that while there may have been a time when businesses, especially larger ones, could simply hire tech talent to analyse data, those days are over. “Even the biggest players are now having to partner with those AI start-ups that are at the cutting-edge of IoT, natural language processing, image recognition and so on,” she says.

Common challenges with secure data sharing

There are three issues organisations can – and more often than not do – run into when they decide to share data with a third party.

The infrastructure issue

There are plenty of ways for Company X to share data with Company Y. Data can be put on a USB stick, then handed or couriered over. (Don’t laugh, this happens more often than might be imagined.) Data can be shared via a platform such as Dropbox. Or Company X’s IT team can spend weeks building something on top of, for instance, AWS infrastructure to facilitate data sharing. The problem with these data-sharing methods is that they are either not very secure or not very cost-effective.

The legal issue

It’s unlikely that Company X is going to want to give AI Start-up Y untrammelled access to its data. That means both parties are going to have to either tie up their legal team or hire a law firm to write a contract that provides clarity around:

  • What data is being shared
  • The conditions in which that data can and can’t be used
  • The purposes the data will be used for
  • How the data is stored (i.e. does it need to be encrypted or deidentified?)

The trust issue

Even if the infrastructure and legal side of things can be sorted out, there’s still the possibility of one party in a data-sharing arrangement doing something unethical but not legally prohibited. What happens, for example, if AI Start-up Y decides to somehow sneakily leverage Company X’s data to win new clients?

How to share data

Many businesses have never shared data with third parties and are unclear about what the process involves. If you own or work for a company that is contemplating lowering the data drawbridge for the first time, the following five-step ‘how to’ guide may be of use.

Step one: Identify partners and shared data

Work out what business (or businesses) you want to partner with, what data you want to share with them and what results you’re hoping to achieve.
For instance, a motor vehicle insurer might want to partner with an insurtech start-up. The insurer may be willing to share data about how many and what types of car accident claims it had to pay out during a 12-month period to gain insights that will help reduce costs.

Step two: Get a legal agreement in place

If preliminary negotiations are promising, the next step is to put a legal agreement in place. These legal agreements need to cover things like IP ownership, confidentiality, acceptable use of data, etc.

The conventional approach is for both parties to get their legal department to do this or outsource the work to a law firm.

However, research shows that one of the main causes of delays in establishing data partnerships is these legal negotiations. The back and forth on clauses around IP ownership, confidentiality, etc is both time consuming & expensive.

Businesses that share data via Data Sandbox (Data Republic’s data sharing product) are able to leverage Data Republic’s legal framework to expedite this process. The framework has two parts:

  • Common Legal Framework – This covers the foundational legal elements of data sharing, such as roles & responsibilities, confidentiality, IP ownership, data destruction, etc. This is only executed between parties once.
  • Data Licence – This specifies the use case specific terms, including what data can be accessed, what it can be used for, etc. This is executed on a per use case basis.

Whilst it’s always a good idea to have your own lawyers review agreements, the framework was built in conjunction with leading legal experts in the field and can help accelerate legal negotiations while offering strong protection on critical issues like Intellectual Property, Liability, Warranties, Indemnities, Confidentiality and more.

Step three: Share the data

Once the lawyers are happy, it’s time to actually share the data.

Depending on what data is being shared, there are a number of ways you could go about this. Tools like Box and Dropbox provide simple, cloud-based methods for sharing files. And of course, there are still the old school methods of placing it on USB sticks and sending it via courier.

If the data needs to be shared securely, perhaps because it’s commercially sensitive or contains personal information on customers, then it changes the game and you’ll need to use platforms built specifically for sharing data in a secure, governed, auditable manner.

Data Sandbox is an example of one of these platforms. You can upload the sensitive data to the platform and put in place controls around what can be done with the data. For instance, you might set it so that data can be removed from the platform but only by certain people with pre-defined approvals, or you might set it so that data can’t be removed from the platform at all and any analysis or use of the data has to be done in the secure virtual machines provided as part of the Data Sandbox platform.

Step four: Complete the work

Once the data is shared, the real work can begin. Continuing our example from earlier, it may be that the insurtech start-up’s analyses the insurer’s data inside the virtual machines provided by the Data Sandbox platform, and reveals that when policyholders email pictures of the damage done to their vehicle to the insurer, the quotes mechanics give for repair work drop by an average of 12 per cent.

Step five: End the relationship cleanly

The final stage of any data-sharing arrangement is ending it cleanly. To continue with the example above, this would mean the insurer ‘takes back’ its data from insurtech start-up.

The risk here is that, with most data-sharing methods, it’s impossible to ensure data hasn’t been copied and won’t later be used for unauthorised ends.

This is again where secure, governed data sharing platforms can help. Instead of simpy hoping that someone on the other end hasn’t made a copy of it, tools like Data Sandbox provide complete audit trails of everything that was done with the data so you can know exactly what people have access to.

Alternatively, if you don’t allow the data to be moved off the platform and instead make 3rdparties work in virtual machines on the Data Sandbox platform, then all you need is shut down the virtual machines and all access is removed.

In conclusion

As the data economy has grown ever more important over the last 10-15 years, many CEOs, CIOs and CTOs have chosen to kick the data-sharing can down the road. In the post-pandemic era, this risk-averse approach will no longer be feasible. Those seeking to create data-driven companies capable of maintaining a competitive edge in the third decade of the 21st century will need to find a way to share data safely and efficiently.