Tech & Sourcing @ Morgan Lewis


Many companies are actively exploring how to better use, commercialize, and productize (make into a standalone product) the data that they collect or is collected on their behalf. A gating issue for these companies is determining whether they in fact own or have the right to use the target data in the manner being contemplated by the business. From a legal perspective, there are three work streams that typically need to be carried out when addressing this issue:

1. Diligence of Current Environments

The initial work stream consists of diligence efforts to fully understand the data involved in the planned use and commercialization. Key diligence items include the following:

  • Identifying the nature, contents, scope, and source of the target data
  • Determining and documenting how the target data is collected (e.g., create a data collection workflow that shows the sources, collection methods, and where the data resides)
  • Determining whether there are third parties that have access or input to the data that could impact use rights, including third parties who collect, modify/enhance, cleanse, mine, analyze, or host the data
  • Identifying and collecting the agreements or other terms and conditions that apply to the collection and use of the data, as well as agreements with third parties that touch the data
  • Assessing the regulatory framework that may apply to the collection, storage, protection, and use of the data (e.g., regulations that require informed consent of the individual data subjects if personal data is involved)
  • Reviewing the agreements and regulations to determine whether (i) the data is “clean” and can be used “as is” or in a de-identified or aggregated form; (ii) data use is restricted in whole or in part by third party agreements; and (iii) further consent is required from the data source/subject

2. Corrective Actions

Identifying these details about data content and collection, third party touchpoints, regulatory requirements, and related issues is only the first step. The next work stream is focused on addressing the results of the due diligence efforts. Even if there are issues regarding the target data, whether they are issues regarding chain of possession created by third parties touching the data, issues regarding the requisite consents to use the data, or other issues, there may be ways to correct the issues to permit the desired use of the target data. For example, the company should consider whether existing agreements can be amended, terms of use can be updated, and/or consent can be obtained from the individual data subjects to address any outstanding issues. It is best to develop a holistic, strategic approach to this work stream so that corrective actions can be identified and implemented in a structured, auditable manner.

3. Proactive Monitoring

In addition to addressing pre-existing issues through the diligence and corrective action work streams, the company should get proactive. What data is most valuable to the company today and how is that likely to change in the future? Going forward, what can the company do to ensure that it has the right to use valuable data? The company should review key forms and contracts on a regular basis as part of an ongoing data management program to ensure that, among other things, the data rights are clear and allocated in a manner in which the company is authorized to use and commercialize the assets in accordance with the business’s direction.