Data Protection in Business Ecosystems

Digital transformation has long since found its way into every modern company. A word of warning, however: companies who want to be successful using digital business models should drop the idea of wanting to do everything on their own. Cleverly orchestrated networks in which partners are integrated according to their core competencies are the decisive factor for success. But these networks should also be secured.

In a business ecosystem involving multiple partners, data are generated, processed, and transmitted with the aim of realizing a common value proposition. Cross-industry networks such as Gaia-X or industry-specific networks such as Catena-X demonstrate how this is done. The questions of data protection, data security, and the clarification of data ownership in such a business ecosystem are anything but trivial.

Our recommendations for minimizing risks and establishing business relationships compliant with data protection laws are shown below.

  1. Definition of clear roles and responsibilities
    Right from the development stage of the business model and the setup of the first partner structures of a business ecosystem (MVE — minimum viable ecosystem), it is essential that all partners  be assigned a clearly defined role within the ecosystem and that all relevant data flows be made transparent in their relationships to one another. The responsibilities during data processing vary according to the role in the ecosystem. According to the European General Data Protection Regulation (EU GDPR), there are in essence two data processors: the controller (Art. 4(7) GDPR) and the processor (Art. 4(8) GDPR). The controller is the natural or legal person, public authority, agency, or other body that “alone or jointly with others determines the purposes and means of the processing of personal data.” The processor differs from the controller in that it “processes personal data on behalf of the controller.” There must be a detailed examination of whether the partner constellation in the specific instance involves joint responsibility pursuant to the EU GDPR as the EU GDPR sets forth varying requirements concerning the contracts that must be concluded in each case. If two or more companies (processors) jointly decide on the purpose (why?) and means (how?) of data processing, they are joint controllers and can establish a so-called joint control agreement to regulate who is in charge of the specifically agreed processing steps in what areas. Basically, the EU GDPR provides for joint responsibility of the partners involved for the data processing in this agreement, especially if both controllers decide on the purpose and means of the data agreement. The consequence is that whenever two or more processors make separate decisions for their own operations, each of them is an independent controller and processing contracts must be concluded.


  1. Designation of data protection officers
    In the event of multiple companies having joint controllership, a data protection officer (DPO) should be designated for the business ecosystem; these officers are responsible for compliance with data protection laws and regulations within the ecosystem. The DPO should have a holistic understanding of the business ecosystem and the data protection risks associated with it.


  1. Establishment of privacy policies and procedures
    A comprehensive privacy policy and associated procedures should be established to govern how personal data are processed, shared, and accessed within the business ecosystem. This policy should be communicated to all partners and include regulations on data minimization, access controls, retention periods, and rights of affected customers and business partners.


  1. Conduct of a data protection impact assessment (DPIA)
    A DPIA can help to identify the risks associated with the processing of personal data in a business ecosystem. It should cover all partners in the ecosystem and assess the potential impact on the rights and freedoms of data subjects. This assessment will aid in determining what security measures are required.


  1. Conclusion of data protection agreements
    All partners involved in the business ecosystem should sign data protection agreements that govern how personal data are processed and shared within the ecosystem. Material elements of any such agreements include provisions for data protection and security and definitions of the roles and responsibilities of each partner.


  1. Implementation of technical and organizational measures
    Pertinent technical and organizational measures for the protection of personal data in the business ecosystem should be implemented. They could include actions such as data encryption (pseudonymization/anonymization), secure data transfer protocols, and access controls.


  1. Consents and privacy cockpit integration
    Business ecosystems often collect multiple categories of personal data. If the data processing goes beyond the original processing purpose, consent of the data subjects is required for the new purposes pursued by the collection and processing of additional personal data. Privacy cockpits offer to data subjects the options to grant and withdraw consent and can serve both to fulfill the requirements of Art. 25(1) GDPR (data protection by design) and to provide privacy-friendly default settings pursuant to Art. 25(2) GDPR (data protection by default) by bundling all types of processing relevant for data and ensuring their transparency.

In all situations, it is important to keep in mind that data protection and security are ongoing responsibilities that must be reviewed and evaluated on a regular basis. As the importance of ecosystems continues to grow, the need to consider and practice this responsibility for the entire network and not solely for one’s own company rises concurrently. Partners in a business ecosystem should work together to monitor and manage data protection risks and to improve continuously their policies, procedures, and technical measures. Compliance with the EU GDPR should be a critical consideration from the outset so that risks are minimized and potential penalties or harm to reputation is avoided.