Ask an Expert

How to Do Privacy in Partnerships Right in 2023 (and Why It Matters)

This is the way to handle sensitive data — and the way not to.

Ok — I think everyone gets it. The traditional models of direct and indirect software distribution are out, and ecosystems are in. If 2022 taught partnership leaders how to identify and define ecosystems, then 2023 will be the year they’re built and scaled. 

Over the past seven years as a product manager and solutions consultant at PartnerStack, I’ve worked with thousands of partnership teams to operationalize partner-sourced revenue through their indirect channel. While the terminology has changed, the foundation of successful partnerships has not. The ecosystems of tomorrow will be built upon the same foundations as the successful partnerships of the past: trust and transparency.

As your ecosystem demands more information sharing, maintaining trust with your partners and your end customer data can feel much easier said than done. Regulatory fines are costing companies millions, browser policies are impacting performance marketing, and security threats all raise the stakes of a misstep. It can be a stressful time to open your doors to new partnerships.

Luckily for you, we can help you cut through the noise. This article will help you:

  • Understand common terminology used in data privacy regulations
  • Know how to apply regulations and policies to your partner ecosystem
  • Take tactical steps to enforce systematic trust in your ecosystem

Note: I am not a lawyer, nor do I pretend to be one on LinkedIn. Nothing in this article should be taken as legal advice.

Related: Partnership ecosystem insights explain how old and new worlds are colliding.

How the General Data Protection Regulation applies to partnerships

By now you have likely heard of GDPR — the General Data Protection Regulation — adopted by all EU nations in 2018. In short, the regulation formalizes a handful of data privacy principles that must be maintained to protect the personal data of citizens within the European Economic Area (EEA). Since then, Canada, Switzerland, Australia, the UK, and more than 120 other countries and five US states have established some form of privacy laws for the data protection of their citizens.

The good news is that most ecosystem leaders can cover the majority of these regulations by prioritizing universal principles put forth by the most restrictive guidelines. Before jumping into the rules, let’s get you caught up on some of the terms you’ll need to know to get started.

See more: The best ways to use a learning management system (LMS).

Learning the lingo

Building systematic trust in your ecosystem relationship starts with building awareness of the language of data privacy in 2023. The list below highlights terms and related concepts within data privacy regulations in 2023, along with common ecosystem examples. While there is some language variance globally, we’ll use the broadly accepted definitions outlined in article 4 of the GDPR.

Data subjects and personal data

By the book: According to the GDPR, personal data refers to “any information relating to a natural person (the data subject)”. An identifiable natural person is “one who can be identified, directly or indirectly, by an identifier such as a name, an ID number, location, an online identifier or other factors such as the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Ecosystem translation: When new users signup for your product or fill out a demo form, they are a data subject passing you their personal data (name, email, etc). Corporations aren’t individuals and are thus not data subjects protected under most privacy regulations.

Data controller and data processor

By the book: Per the GDPR’s definition, a data controller “determines the purposes and means of processing personal data”. A data processor engages in “processing personal data on behalf of the controller”.

Ecosystem translation: Your website describes a service to your prospects. When an individual prospect at an organization completes your demo form, your organization becomes the data controller of that information to determine how to process it appropriately. This may include multiple data processors who are downstream of your business. For instance, pushing the user’s data to a data enrichment service like ZoomInfo would be an example of your organization as a data controller deciding to pass the data to a processor for a valid business need. If a partner collects lead information and passes it to you as a referral through a partner portal, you might enter what could be considered a joint controller relationship where both you and your partner are responsible for the processing activities.

Data processing

By the book: Data processing is defined as “any operation by a processor performed on personal data” (such as collection, structuring, storage, use or disclosure) by the GDPR.

Ecosystem translation: Your ecosystem likely uses many tools including a CRM to report on revenue and pipeline, a PRM to manage partnerships securely, a lead enrichment and account mapping tool, a mailing provider like MailChimp, and others. The work these tools do (lead cleaning, email communication, reporting) is the data processing activities.

Data importer and data exporter

By the book: For European citizen data, the data exporter (a controller or processor) is subject to the GDPR for the given processing. The EDPB defines: “The data exporter transmits or makes available personal data to a data importer (another controller, joint controller, or processor). The data importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing”.

Ecosystem translation: A partner organization in the EU captures lead information that is passed to your organization in the US via an account mapping tool hosted in the US. The partner is the data exporter (the organization sending data outside of the EU), and the importer would be the account mapping tool. We’ll cover more on this when we talk about data processing agreements and standard clauses.

Related: I run a successful partnership program and these are my top tips.

Your ecosystem principles of trust

With these terms in mind, let’s highlight the major principles that will guide systematic trust across your partner ecosystem. We’ll focus here on rounding up the guiding principles put forth by GDPR, CCPA, and the Organization for Economic Co-operation and Development (OECD) that governments are using to inform regional regulations.

Remember, data privacy principles aim to protect the individual user’s identifiable information as it moves through a global ecosystem of tools working together to achieve the user’s needs. Just like  partnerships, these principles are all about the people.

Be fair, lawful, and transparent

Data shared in your ecosystem must be collected in a method that is transparent, and of fair use to the end user, all while following the rule of law. It is critical that your organization and other organizations in your ecosystem clearly inform data subjects how their data is going to be processed and for what reasons at the moment it is collected.

For example, in England, a software agency contacts one of its customers to inform them about a new product line offered by the customer’s CRM. However, it is not made clear to the customer that it was not the agency providing the demo of the new product line but that their data would be sent to the CRM company to fulfill any interest. The CRM in this case is the data controller of this user’s data. They have not handled the processing of their customer’s data in a transparent way by sharing it with an external partner without telling the customer.

Related: Our pick for CRM and the best B2B software on the market.

Limit the purposes of data collection

All personal data collected in your ecosystem should be collected for a determined, specific, and legitimate purpose that does not change after it is collected. The purpose of processing and the proposed use of the data must be clearly defined and explained to the data subject. Establishing clear limitations at the point of collection helps to protect your users’ data from further processing for which they did not provide consent.

Limit data collection

There is no easier data to secure than the data you don’t collect. Data collected within your ecosystem should only consist of the information that is necessary and relevant to achieve the purposes outlined to your customer. Necessity and relevancy are important factors to understand.

For example, an integration partner sending you a referral may need to communicate the referral’s location so your sales team can contact them at an appropriate time. Establishing the best time to call could be achieved by sharing a timezone code, looking up an exact location via IP address, or sharing a full address. While all are relevant for working out the best time to call, the full address and IP address lookup would be excessive (and thus not necessary) for the purposes of collection.

Maintain accurate data

When you collect and process each user’s data, you work with your ecosystem partners to fulfill a promise to that user. If the user’s information falls out of sync between systems or partners, the user may receive an incomplete or incorrect outcome for their service.

For instance, many product onboarding processes collect user preferences to provide product recommendations. If a user’s preferences are later updated but not communicated to relevant parties, the user can receive communications, services, or processing they did not consent to.

This is increasingly important for financial or healthcare products where inaccurate information can impact a user’s financial status (credit score services) or physical well-being (patient management software).

Limit the storage of data

Just as you should be minimizing the collection of data, regulations ask that you minimize the period of time that data is stored for. The retention policies of your organization and of the organizations within your ecosystem are a considerable concern to international regulations, as the longer data is stored with a controller or processor, the higher the risk of data exposure in a security incident or access by state actors. The appropriate retention policies for your organization will be highly context-specific and should be guided by other legislative obligations and regulatory guidance in your industry.

Integrity and confidentiality

Every trust principle in your ecosystem does not function without a secure infrastructure to store and transmit personal data between parties. Your organization must maintain a robust security posture, safeguarding against risks of data loss or access by unauthorized parties.

This is a broad topic that should be assessed from physical, organizational, and technological approaches to maintain data integrity within your ecosystem. Certifications like SOC2, and ISO 27001 can help you and your ecosystem signal that you maintain robust security standards vetted by certified professionals.


Long and short, governments are clear that the data controller is on the hook to ensure the personal data of their data subjects is protected. With this responsibility comes the need to be able to describe, demonstrate, and follow through on all processing activities undertaken by your organization and organizations that process data on your behalf. With that in mind, let’s take a look at a number of best practices you can use to avoid fines and maintain systematic trust within your ecosystem.

Building a secure data ecosystem

We’ve covered a lot of ground so far. We learned about the changes happening in the data privacy space, the language of data privacy in 2023, and the core principles that have informed the data privacy regulation of today and tomorrow.

With all this context, let’s jump into the actionable elements you can take today to build systematic trust within your partner ecosystem.

1. Start with a self-audit

Before you start reviewing your ecosystem partners and processes, have a conversation with your security and compliance team about the policies and controls your organization has today. For now, focus on the data that your organization collects and processes, rather than that of your partners. I’d recommend starting with the GDPR’s Data Protection Impact Assessment (DPIA) which will be a requirement for some organizations to complete anyways. The official GDPR site provides an assessment template to get you started.

In addition to this template, ask your team about:

  • How the organization handles users’ requests for the export or deletion of personal data
  • If your organization maintains a public list of processors, their location, and the information they process
  • If your organization has a Data Processing Agreement (DPA) in place with processors
  • If your organization maintains any security certifications (SOC2)

2. Map your ecosystem processes

With your new understanding of your organization's data privacy policies, you can start to look at the members and processes within your partner ecosystem. We know that different partners work in different ways to provide an end solution to your customers. Some partners may drive your organization's traffic, while others purchase products and manage customers on your behalf.

These various activities and sales motions will need to be catalogued and explored to understand the controller vs processor relationship, as well as the minimum, relevant data required to make the process function. Using the example motions above, I’ve expanded on what an assessment might look like in the table below. If you’re looking for more examples, the Cloud Software Associate published a more expansive list.

See more: B2B Marketing Trends to Look Out for in Tech in 2023.

3. Get the right paper and process

Using the information you’ve gathered and mapped so far, you can turn your attention to formalizing the documents and processes you’ll need for each of your partner motions. As the specifics vary from industry to industry, we’ll focus here on the core elements you should have in place.

Privacy Policy

This document covers the majority of information and processes in place for your compliance. The document should be stored in a public location and describe to your users and partners how their data is collected, used, and processed.

The GDPR speculates specific requirements for this policy including:

  • The identity and contact details of the organization, its representative, and its Data Protection Officer
  • The organization’s purpose and legal basis for processing an individual’s personal data
  • Any recipient or categories of recipients of an individual’s data
  • The details regarding any transfer of personal data to a third country and the safeguards

Get the full list of requirements and a policy template at the official GDPR website.

Data Processing Agreement (DPA)

The chain of data in your ecosystem is only as good as its weakest link. With this in mind, a DPA is one of the core documents that enforce a standard of systematic trust in your ecosystem. A DPA is a legal document you sign with your ecosystem partners (and they sign with theirs) that states the rights and obligations of each party concerning the protection of personal data. It is likely your ecosystem mapping exercise uncovered that your organization can be both a data controller as well as a processor in some partnership agreements. In either case, a DPA is vital to provide legal insurance so that your partners and their processors will uphold the same privacy and security measures of your organization. 

Once again the official GDPR website provides all the required clauses and a DPA template.

Standard contractual clauses (SCC)

It might be hard to believe, but the GDPR is actually working to make your life easier (or at the very least more compliant) with less headache. On 4 June 2021, the Commission issued modernized standard contractual clauses under the GDPR for data transfers from the EU/EEA to outside the EU/EEA. If your organization is collecting or processing the data of EU citizens outside of the EU (i.e in a US data center) then you can use these standard clauses in your DPA or other agreements to ensure a compliant transfer of data outside of the EU.

Learn more on the SCC fact sheet by the European Commission.

4. Work with an expert

As you navigate through your own ecosystem compliance, you’ll likely have questions, confusion, and cases that are not well understood. You’ll work with partners that don’t share your awareness of (or perhaps even interest in) a data privacy initiative, and likely battle with internal resources to prioritize this work.

I mentioned at the outset of this article and remind you now that I am not a lawyer, and that rules and best practices here should always be reviewed and applied within the context of your product, industry, and processing requirements with a professional.

We have a saying at PartnerStack, “If you’re not sure, ask!”. If you’re struggling with interpreting all this new information there are plenty of consultants and practicing legal experts who can help. Hopefully this article has primed you toward building an ecosystem of trusted and transparent partners., taught you some new lingo, the broad policies informing privacy law across the world, and some tactical steps to start building systematic trust in your ecosystem today.

Whether you’re ideating on partnerships in 2023 or ready to scale your ecosystem, our solutions and success teams at PartnerStack are here to help. Book a demo to get started today.

Did you find this content helpful?
Everything That You Need to Know About the PartnerStack Network in 2024

Tap into the largest B2B network and find your next revenue-driving partner now.

The Definitive Guide to Easy Partner Payouts in B2B SaaS

Save time and skip the admin work.

Quiz: How Much Do You Know About Affiliate Programs?

Take this quiz to test how much you actually know about affiliate marketing.

Revenue-Focused Goals Following Partner Activation

Joint revenue has never felt so accessible.

Presented by partnerStack
SaaS Partnerships Awards 2023

Celebrating the best partnership leaders and programs in SaaS.

ROI Report
33% Faster Payback With PartnerStack Than The Average PRM

Read how analyst firm GTM Partners used G2 user review data to determine the time to ROI of partner technology.

Discover Your Go-to-Market Fortune

Look into your partnerships past, present and future with an interactive reading for GTM leaders.

Find the answers you need from experts

Data-driven insights from world-class ecosystem leaders.

Get exclusive data and insights from our Research Lab

Unlock ecosystem data from the PartnerStack network of more than 80,000 active partners. Ecosystem leaders like you can now benefit from focused research into their specific business needs.

“We weren’t leveraging the platform enough, we never had anyone dedicated to partnerships. There were no allocated resources”

"PartnerStack helps achieve our goals. We hit 125% of our target last year in closed-won and 150% of our target pipeline generation."


Joint venture

[joynt ven·chr]

A joint venture is a business collaboration between two parties on a project. Both parties will benefit from bringing their shared resources and knowledge, and neither party will take on the sole burden of the risk.


Buyer persona

[bahy-er per-soh-nuh]

These depictions of target customers help to define your company's ideal target customers.


SaaS partner programs

[sas pahrt-ner proh-grams]

SaaS (software-as-a-service) partner programs are a systematic way that software companies form mutually beneficial relationships with agencies, influencers, and other companies to drive business results.

Do you work in ecosystems?

Fill out this survey to help us better understand the world of partnership ecosystems. All data is anonymized.

Unlock limitless scale through PartnerStack

See how PartnerStack helps you optimize your partner programs to drive predictable revenue.

Free ecosystem advice

Sign up to get the latest tips on building your partner ecosystem.