Ok — I think everyone gets it. The traditional models of direct and indirect software distribution are out, and ecosystems are in. If 2022 taught partnership leaders how to identify and define ecosystems, then 2023 will be the year they’re built and scaled.
Over the past seven years as a product manager and solutions consultant at PartnerStack, I’ve worked with thousands of partnership teams to operationalize partner-sourced revenue through their indirect channel. While the terminology has changed, the foundation of successful partnerships has not. The ecosystems of tomorrow will be built upon the same foundations as the successful partnerships of the past: trust and transparency.
As your ecosystem demands more information sharing, maintaining trust with your partners and your end customer data can feel much easier said than done. Regulatory fines are costing companies millions, browser policies are impacting performance marketing, and security threats all raise the stakes of a misstep. It can be a stressful time to open your doors to new partnerships.
Luckily for you, we can help you cut through the noise. This article will help you:
- Understand common terminology used in data privacy regulations
- Know how to apply regulations and policies to your partner ecosystem
- Take tactical steps to enforce systematic trust in your ecosystem
Note: I am not a lawyer, nor do I pretend to be one on LinkedIn. Nothing in this article should be taken as legal advice.
How the General Data Protection Regulation applies to partnerships
By now you have likely heard of GDPR — the General Data Protection Regulation — adopted by all EU nations in 2018. In short, the regulation formalizes a handful of data privacy principles that must be maintained to protect the personal data of citizens within the European Economic Area (EEA). Since then, Canada, Switzerland, Australia, the UK, and more than 120 other countries and five US states have established some form of privacy laws for the data protection of their citizens.
The good news is that most ecosystem leaders can cover the majority of these regulations by prioritizing universal principles put forth by the most restrictive guidelines. Before jumping into the rules, let’s get you caught up on some of the terms you’ll need to know to get started.
Learning the lingo
Building systematic trust in your ecosystem relationship starts with building awareness of the language of data privacy in 2023. The list below highlights terms and related concepts within data privacy regulations in 2023, along with common ecosystem examples. While there is some language variance globally, we’ll use the broadly accepted definitions outlined in article 4 of the GDPR.
Data subjects and personal data
By the book: According to the GDPR, personal data refers to “any information relating to a natural person (the data subject)”. An identifiable natural person is “one who can be identified, directly or indirectly, by an identifier such as a name, an ID number, location, an online identifier or other factors such as the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Ecosystem translation: When new users signup for your product or fill out a demo form, they are a data subject passing you their personal data (name, email, etc). Corporations aren’t individuals and are thus not data subjects protected under most privacy regulations.
Data controller and data processor
By the book: Per the GDPR’s definition, a data controller “determines the purposes and means of processing personal data”. A data processor engages in “processing personal data on behalf of the controller”.
Ecosystem translation: Your website describes a service to your prospects. When an individual prospect at an organization completes your demo form, your organization becomes the data controller of that information to determine how to process it appropriately. This may include multiple data processors who are downstream of your business. For instance, pushing the user’s data to a data enrichment service like ZoomInfo would be an example of your organization as a data controller deciding to pass the data to a processor for a valid business need. If a partner collects lead information and passes it to you as a referral through a partner portal, you might enter what could be considered a joint controller relationship where both you and your partner are responsible for the processing activities.
By the book: Data processing is defined as “any operation by a processor performed on personal data” (such as collection, structuring, storage, use or disclosure) by the GDPR.
Ecosystem translation: Your ecosystem likely uses many tools including a CRM to report on revenue and pipeline, a PRM to manage partnerships securely, a lead enrichment and account mapping tool, a mailing provider like MailChimp, and others. The work these tools do (lead cleaning, email communication, reporting) is the data processing activities.
Data importer and data exporter
By the book: For European citizen data, the data exporter (a controller or processor) is subject to the GDPR for the given processing. The EDPB defines: “The data exporter transmits or makes available personal data to a data importer (another controller, joint controller, or processor). The data importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing”.
Ecosystem translation: A partner organization in the EU captures lead information that is passed to your organization in the US via an account mapping tool hosted in the US. The partner is the data exporter (the organization sending data outside of the EU), and the importer would be the account mapping tool. We’ll cover more on this when we talk about data processing agreements and standard clauses.
Your ecosystem principles of trust
With these terms in mind, let’s highlight the major principles that will guide systematic trust across your partner ecosystem. We’ll focus here on rounding up the guiding principles put forth by GDPR, CCPA, and the Organization for Economic Co-operation and Development (OECD) that governments are using to inform regional regulations.
Remember, data privacy principles aim to protect the individual user’s identifiable information as it moves through a global ecosystem of tools working together to achieve the user’s needs. Just like partnerships, these principles are all about the people.
Be fair, lawful, and transparent
Data shared in your ecosystem must be collected in a method that is transparent, and of fair use to the end user, all while following the rule of law. It is critical that your organization and other organizations in your ecosystem clearly inform data subjects how their data is going to be processed and for what reasons at the moment it is collected.
For example, in England, a software agency contacts one of its customers to inform them about a new product line offered by the customer’s CRM. However, it is not made clear to the customer that it was not the agency providing the demo of the new product line but that their data would be sent to the CRM company to fulfill any interest. The CRM in this case is the data controller of this user’s data. They have not handled the processing of their customer’s data in a transparent way by sharing it with an external partner without telling the customer.
Limit the purposes of data collection
All personal data collected in your ecosystem should be collected for a determined, specific, and legitimate purpose that does not change after it is collected. The purpose of processing and the proposed use of the data must be clearly defined and explained to the data subject. Establishing clear limitations at the point of collection helps to protect your users’ data from further processing for which they did not provide consent.
Limit data collection
There is no easier data to secure than the data you don’t collect. Data collected within your ecosystem should only consist of the information that is necessary and relevant to achieve the purposes outlined to your customer. Necessity and relevancy are important factors to understand.
For example, an integration partner sending you a referral may need to communicate the referral’s location so your sales team can contact them at an appropriate time. Establishing the best time to call could be achieved by sharing a timezone code, looking up an exact location via IP address, or sharing a full address. While all are relevant for working out the best time to call, the full address and IP address lookup would be excessive (and thus not necessary) for the purposes of collection.
Maintain accurate data
When you collect and process each user’s data, you work with your ecosystem partners to fulfill a promise to that user. If the user’s information falls out of sync between systems or partners, the user may receive an incomplete or incorrect outcome for their service.
For instance, many product onboarding processes collect user preferences to provide product recommendations. If a user’s preferences are later updated but not communicated to relevant parties, the user can receive communications, services, or processing they did not consent to.
This is increasingly important for financial or healthcare products where inaccurate information can impact a user’s financial status (credit score services) or physical well-being (patient management software).
Limit the storage of data
Just as you should be minimizing the collection of data, regulations ask that you minimize the period of time that data is stored for. The retention policies of your organization and of the organizations within your ecosystem are a considerable concern to international regulations, as the longer data is stored with a controller or processor, the higher the risk of data exposure in a security incident or access by state actors. The appropriate retention policies for your organization will be highly context-specific and should be guided by other legislative obligations and regulatory guidance in your industry.
Integrity and confidentiality
Every trust principle in your ecosystem does not function without a secure infrastructure to store and transmit personal data between parties. Your organization must maintain a robust security posture, safeguarding against risks of data loss or access by unauthorized parties.
This is a broad topic that should be assessed from physical, organizational, and technological approaches to maintain data integrity within your ecosystem. Certifications like SOC2, and ISO 27001 can help you and your ecosystem signal that you maintain robust security standards vetted by certified professionals.
Long and short, governments are clear that the data controller is on the hook to ensure the personal data of their data subjects is protected. With this responsibility comes the need to be able to describe, demonstrate, and follow through on all processing activities undertaken by your organization and organizations that process data on your behalf. With that in mind, let’s take a look at a number of best practices you can use to avoid fines and maintain systematic trust within your ecosystem.
Building a secure data ecosystem
We’ve covered a lot of ground so far. We learned about the changes happening in the data privacy space, the language of data privacy in 2023, and the core principles that have informed the data privacy regulation of today and tomorrow.
With all this context, let’s jump into the actionable elements you can take today to build systematic trust within your partner ecosystem.
1. Start with a self-audit
Before you start reviewing your ecosystem partners and processes, have a conversation with your security and compliance team about the policies and controls your organization has today. For now, focus on the data that your organization collects and processes, rather than that of your partners. I’d recommend starting with the GDPR’s Data Protection Impact Assessment (DPIA) which will be a requirement for some organizations to complete anyways. The official GDPR site provides an assessment template to get you started.
In addition to this template, ask your team about:
- How the organization handles users’ requests for the export or deletion of personal data
- If your organization maintains a public list of processors, their location, and the information they process
- If your organization has a Data Processing Agreement (DPA) in place with processors
- If your organization maintains any security certifications (SOC2)
2. Map your ecosystem processes
With your new understanding of your organization's data privacy policies, you can start to look at the members and processes within your partner ecosystem. We know that different partners work in different ways to provide an end solution to your customers. Some partners may drive your organization's traffic, while others purchase products and manage customers on your behalf.
These various activities and sales motions will need to be catalogued and explored to understand the controller vs processor relationship, as well as the minimum, relevant data required to make the process function. Using the example motions above, I’ve expanded on what an assessment might look like in the table below. If you’re looking for more examples, the Cloud Software Associate published a more expansive list.
3. Get the right paper and process
Using the information you’ve gathered and mapped so far, you can turn your attention to formalizing the documents and processes you’ll need for each of your partner motions. As the specifics vary from industry to industry, we’ll focus here on the core elements you should have in place.
This document covers the majority of information and processes in place for your compliance. The document should be stored in a public location and describe to your users and partners how their data is collected, used, and processed.
The GDPR speculates specific requirements for this policy including:
- The identity and contact details of the organization, its representative, and its Data Protection Officer
- The organization’s purpose and legal basis for processing an individual’s personal data
- Any recipient or categories of recipients of an individual’s data
- The details regarding any transfer of personal data to a third country and the safeguards
Get the full list of requirements and a policy template at the official GDPR website.
Data Processing Agreement (DPA)
The chain of data in your ecosystem is only as good as its weakest link. With this in mind, a DPA is one of the core documents that enforce a standard of systematic trust in your ecosystem. A DPA is a legal document you sign with your ecosystem partners (and they sign with theirs) that states the rights and obligations of each party concerning the protection of personal data. It is likely your ecosystem mapping exercise uncovered that your organization can be both a data controller as well as a processor in some partnership agreements. In either case, a DPA is vital to provide legal insurance so that your partners and their processors will uphold the same privacy and security measures of your organization.
Once again the official GDPR website provides all the required clauses and a DPA template.
Standard contractual clauses (SCC)
It might be hard to believe, but the GDPR is actually working to make your life easier (or at the very least more compliant) with less headache. On 4 June 2021, the Commission issued modernized standard contractual clauses under the GDPR for data transfers from the EU/EEA to outside the EU/EEA. If your organization is collecting or processing the data of EU citizens outside of the EU (i.e in a US data center) then you can use these standard clauses in your DPA or other agreements to ensure a compliant transfer of data outside of the EU.
Learn more on the SCC fact sheet by the European Commission.
4. Work with an expert
As you navigate through your own ecosystem compliance, you’ll likely have questions, confusion, and cases that are not well understood. You’ll work with partners that don’t share your awareness of (or perhaps even interest in) a data privacy initiative, and likely battle with internal resources to prioritize this work.
I mentioned at the outset of this article and remind you now that I am not a lawyer, and that rules and best practices here should always be reviewed and applied within the context of your product, industry, and processing requirements with a professional.
We have a saying at PartnerStack, “If you’re not sure, ask!”. If you’re struggling with interpreting all this new information there are plenty of consultants and practicing legal experts who can help. Hopefully this article has primed you toward building an ecosystem of trusted and transparent partners., taught you some new lingo, the broad policies informing privacy law across the world, and some tactical steps to start building systematic trust in your ecosystem today.
Whether you’re ideating on partnerships in 2023 or ready to scale your ecosystem, our solutions and success teams at PartnerStack are here to help. Book a demo to get started today.