Why ‘Permitted Use’ is at the Heart of Good Data Governance

When customers give an organization their personal details, there’s little doubt they still view it as their data. By handing over their personal information, they feel they are permitting the business to use their data in a particular way.

Defining the ‘permitted use’ is therefore crucial to how a company manages and uses customer data. It’s also increasingly important for maintaining customers’ trust and ensuring compliance with privacy laws. For example, under the European Union’s General Data Protection Regulation (GDPR), an organization may only collect customer data if it is transparent about how it intends to use the information, and if it gains customers’ consent to do so.

However, controlling the use of information across an organization isn’t easy—which is why it is essential to have a strong data governance framework.

The Consequences of Unrestricted Data Access

Without such a framework, it’s far too easy for sensitive data to end up in the wrong hands. One of the more extreme examples of this is Facebook’s Cambridge Analytica scandal over the unauthorized accessing of raw data from up to 87 million Facebook user profiles.

This case should concern other businesses because of the way Cambridge Analytica gained access to the data. It wasn’t a typical data breach perpetrated by hackers; Cambridge Analytica simply paid a researcher to harvest Facebook users’ data.

At the time, researchers could legitimately access Facebook user data for academic purposes. As Facebook has since pointed out, selling that data violated its terms of use. But the fact is that the world’s biggest social media company either couldn’t or didn’t control how an apparent legitimate partner used Facebook’s customer data.

The worry for many businesses is that they may be susceptible to a similar disaster. Is their information security strong enough to prevent accidental or deliberate data leaks? Do they have the controls to stop unauthorized use of information following formal or informal data exchanges with other organizations?

They may not be subject to worldwide headlines like Facebook, but the consequences of a data leak could be just as dire, if not more so, for many businesses. Privacy laws such as the GDPR include huge fines for non-compliance. In addition, consumers are punishing organizations that allow unauthorized use of personal data by taking their business elsewhere.

Defining Permitted Uses

It’s therefore vital that every organization has a data strategy and detailed policies that define access to and the permitted use of its datasets.

Factors to consider in such a policy include: who should have access to the dataset, what they can do with the data, what information can be shared with what teams internally and with other organizations, and whether roles need to be defined for different access and usage rights.

Importantly, permitted-use policies should include rules for how customers’ data can be used, along with strict processes for sharing customer-related information and gaining their consent before using or sharing their data.

How Our Governance Framework Can Help

But with your organization’s permitted-use policies defined, how do ensure that all data sharing abides by these rules?

This is where Data Republic’s Senate platform comes in. Our platform helps a business apply and enforce its permitted-use policies across the organization and in data exchanges with other companies.

Senate includes a governance framework that gives businesses the controls they need to manage the risk of information disclosure while maximizing the utility of data.

The framework is particularly well suited to governing data exchanges between two or more organizations, because it can provide full visibility of and control over shared datasets.

For example, Senate’s data auditing functions allow an organization to track who accessed its dataset and how the data was used. In addition, Senate’s governance controls can ensure that all data collaboration with other organizations, including analytics, takes place on the platform and that only the approved data insights are extracted.

Governance Starts with Permitted Use

On Senate, every data-sharing or analysis project is subject to its governance framework. And that starts with setting the permitted use of the data.

In a typical data-sharing scenario on Senate, a data analyst creates a project and requests permission to use a dataset from the dataset’s ‘custodian’ (an authorized user assigned to protect and oversee use of the data). That request should include the proposed permitted use of the data, defining details such as how data will be used in the project and the proposed outputs that can be extracted from the platform.

The custodian can approve or reject the request, or negotiate with the analyst to vary the terms of permitted use. Once both parties agree, the terms are included in a data ‘license,’ which is a prerequisite for every data project on Senate.

With the permitted use of a dataset defined, similar future projects become much quicker and easier. Internal projects and data exchanges with other organizations become more repeatable. This opens opportunities to gain access to more data for new insights. There’s even potential to monetize your organization’s data if it’s valuable enough to other businesses.

What Permitted Use Should Cover

On Senate, a dataset cannot be used without the data custodian’s approval. The custodian also sets the governance controls for the dataset for each project, and can choose to retain full visibility of and control over the data.

Still, to avoid misunderstandings between two parties, we recommend making permitted use terms as detailed as possible. As a general guideline, permitted use requests to data custodians should include answers to the following questions:

  • What is the objective of your project?
  • Which datasets are you requesting?
  • Will you be combining the dataset with data from other sources?
  • Will data matching be required?
  • How will data be used in your project?
  • What outputs do you intend to extract from the Senate platform?
  • When will you require the data and how long will you need access to it for?
  • Will the project continue after outputs are extracted from Senate?
  • Will the project be ongoing? If so, will the dataset need to be refreshed with new or changed data?
  • Who are the output recipients of your data product?

Aligning with Customer Expectations

Senate’s data governance framework is second to none, providing all the tools any organization needs to protect its data and its customers’ personal information.

Our framework will ensure your business’s permitted-use policies are applied and enforced. For this reason, defining these policies is an important first step when using the Senate platform.

It’s also crucial that permitted-use policies align with customers’ privacy expectations—ensuring that customers’ data is only used or shared in ways that they have given consent to.

After all, what’s the point of analyzing data to gain more insights into your customers’ behaviors if those customers lose trust in your business?

For more details on how Senate works, see our whitepaper.