The Data Pitch programme was one of the first of its kind to encourage large organisations to work with innovative startups, sharing their data with them in order to find new solutions to industry problems.
Sharing datasets between two parties can lead to improved efficiency, enhanced insights, better business models and new products and services. Examples* include the Milton Keynes Data Hub (MK Data Hub) which collects and integrates data on energy, water and transport, to enable the development of smart city solutions and improve services, and APROCONE (Advanced Product Concept Analysis Environment) which uses better data sharing to facilitate integrated aircraft design, speeding up the process, improving products and reducing costs. Yet the perceived risks around opening up data to ‘outsiders’ often act as a barrier – in particular, concerns about legal issues.
Data Pitch Panel guest Sarah Cameron, Legal Director at Pinsent Mason, says: “Many people hold the opinion that legal frameworks are inhibitors to data sharing when really their role is to enable it. Through the right legal processes, we can facilitate trustworthy data sharing relationships that can lead to real societal and economic impact.”
No data can or should be shared without a legal risk assessment, but achieving legal compliance is a complex process. Programmes like Data Pitch can help overcome these difficulties, and you can find our key findings below:
Make sure you can access the right expertise
Most data-led startups are too small to have legal resources in-house and do not feel able to confidently negotiate and draw up legal contracts. Even guidance from external lawyers is not always comprehensive, as they can lack the technical expertise needed to understand specific issues and advice may be generic rather than addressing a particular challenge. Programmes such as Data Pitch can help through training workshops and one-to-one support to ensure that startups are looking at the whole picture and achieving compliance.
For example, Data Pitch startup Heptasense is a Portuguese company which uses AI software to recognise threats and predict events such as road accidents, alerting security and emergency services and improving response times for dangerous incidents. However, in order to create its software, the startup needs data such as license plate numbers from surveillance and traffic cameras, which can be used to identify individuals. Data Pitch advised Heptasense to take an intensive GDPR privacy course and invest in staff training, the costs of which were met by the programme’s funding. This helped them identify potential issues and address them.
Get buy-in at a senior level if you want to maximise the value of your data
Larger organisations, or Data Providers, are often reluctant to share data with startups. As the Data Pitch programme progressed, we found that a lack of understanding about what data could be shared, and a real fear of repercussions if the data were to be misused outweighed the organisational risk of not realising the value of data in the minds of the in-house teams. Legal departments were less prone to agreeing to share data if they thought there was a chance that something could go wrong, so senior-level support, and making sure that everybody in the data sharing process is involved at an early stage, is essential.
Johanna Walker, Senior Research Assistant and Data Provider Liaison for Data Pitch, says: “It is far better to involve the legal department in early discussions rather than go to them at the end with a finished contract. They need to see how cautious the process that led up to it has been. Our advice is always to engage the team from the beginning, explaining why data sharing is being proposed and how the technical risk has been thought through and addressed. By explaining what protections are being put in place, you can reassure them that you are taking a risk-minimising approach for a good reason.”
Start early and keep on top of things
Data Pitch’s legal adviser Sophie Stalla-Bourdillion cautions companies to think about the requirements for collecting and sharing data in their businesses from the outset. She says: “The earlier you embed processes for sharing data, the better and easier it is to comply with legal requirements.”
It is tempting to outsource compliance issues, but you are the ones sharing or using the data so you are best placed to map data flows, identify key stakeholders, determine the levels of personal data involved, assess risk and carry out impact assessments. It is also going to be up to the data sharer to make sure data is in the right format and any necessary anonymisation or pseudonymisation has been carried out. This can be time-consuming, so you should build in plenty of time and estimate the cost of this from the start.
An accelerator programme such as Data Pitch can help you think through the steps needed to assess risks, pre-process data and design a data-sharing agreement, reducing the chances of mistakes being made. There will still be considerable input required in-house, but a third party can set up a framework and advise best practice.
Every Data Pitch startup we worked with completed a data sharing agreement using a template we created which helped them to work through the process. This resource is available here (see page 13 onwards) and is free to use by any organisations interested in sharing data.
Show that you have a good reason for sharing data
Companies must be able to show that the amount and type of data they are sharing and processing is necessary to achieve their objectives, and proportional to the risks identified.
Under GDPR it is essential that you carry out a Data Protection Impact Assessment (DPIA) in circumstances where processing data might constitute a risk to the rights of individuals. Failure to do so may lead to heavy fines, as has been well-publicised. Our Legal and Privacy Toolkit can help you to think through the steps involved.
One Data Provider that we worked with was Konica Minolta, whose data was going to be processed in Serbia, which is across the GDPR border. We therefore had to be absolutely sure that there was nothing related to personal data present. We helped ensure that the data passed to the Serbian SME was sufficient for the delivery of their project while at the same time complying with GDPR. This involved going into detail about what data Konica was holding and how its sales process worked.
Data Pitch made all startups who brought their own data to the programme fill in a self supplied data record, explaining what data they were able to share, why and assessing the level of risk. If any personal information was included, anonymisation techniques were applied. In addition, all Data Providers were asked to fill in a Legal and Technical questionnaire.
Be aware of country variations
Rules around data legislation in Europe are publicly available. The Information Commissioner’s Office (ICO) has a guide to GDPR as it applies in the UK, and full guidance is on the European Commission website. However, there may also be regional variations. For example, there is a list of potential hazards to consider when undertaking a DPIA which is available at an EU level, but the different member states also have their own list issued by their national supervisory authorities, so it is necessary to understand these as well. A data sharing programme can help advise you and make sure that you are not overlooking any legal criteria.
In conclusion, understanding and adhering to legal requirements means protecting yourself against possible penalties and ensuring that your data can be used as an asset. Working with an accelerator programme such as Data Pitch can help you manage, track and audit data sharing in a way which meets the legal privacy and fairness requirements, ensuring that your processes are transparent, fair and accountable.
Data Sharing Toolkit – Lessons learned, resources and recommendations for sharing data – Gefion Thuermer, Johanna Walker, Elena Simperl
Legal and Privacy Toolkit v1 – Stalla-Bourdillon & Knight, 2017
Legal and Privacy Toolkit v2 – Stalla-Bourdillon & Carmichael, 2018
Anonymous Data v Personal Data: an EU Perspective (Stalla-Bourdillion & Knight 2017)
European Commission regulation on the free flow of non-personal data (European Commission 2019)
*Examples taken from the Royal Academy of Engineering website – case studies
Image from Sarah Cameron’s panel at the Data Pitch Cohort 2 launch event.