I'll forgive you if you think my asking who owns your data is a rhetorical question. I'm quite sure that an esteemed reader such as yourself has asserted your company's ownership of data in any cloud or hosted contract you've entered. It is not my intent to disparage your abilities in any way. It is my intent, however, to point out hidden crannies and fine print foibles that are hard for even the most meticulous and experienced IT professionals to spot. And so I ask, with your interest at heart, who owns your data, really? To which I follow with: are you sure about that?
Here's a quick test to make sure your mission critical data does indeed belong to you:
- At the end of the contract, can you still use your data or will it be returned in a format that won't work in any other system?Your contract must specify that the data will be returned to you on demand, regardless of any outstanding monies owed, and in a format useable to you. Otherwise, you may end up with gobbley goop at the end of the contract whether or not the contract came to the end of the term or you quit the vendor. Indeed, this is the oldest trick in the book to forever bind customers to SaaS vendors.
- If the vendor goes bankrupt and shuts down today, can you get your data back?You may not be able to if there is no specific clause in the contract spelling out if and when your data will be returned. Be sure to also get a guarantee that your data will be protected while the vendor is in a non-functional state and before you take receipt of it, preferably by a reputable third party. If you don't, you could be found liable for any number of legal transgressions because as the "owner" of the data, you're fully responsible for what happens to it.
- Do you own the metadata too?So, you own the data, but do you own the data on the data too? Not if you haven't clarified that in the contract.
- Have you given the vendor and its assigns unfettered access to your data?Certainly, vendors and their subcontractors may have legitimate reasons to have access to your data. This might include routine redundancies for disaster recovery or the ability to provide you with lost passwords so you can access your data. But if you have given them blanket access to your data without specifying that the data can only be used in the course of delivering the service and can be used for no other purpose even if anonymized, then who owns the data is a moot issue because the vendor and/or its partners can still use it any way they want too.
- Have you given the vendor unlimited archival time spans?Here again there are legitimate reasons a vendor needs to archive your data either as a back-up or to speed data delivery to users by jettisoning older data from the load until such is specifically requested. But if you have not established a time limit, a vendor can return a copy of your data to you at the end of the contract but keep a copy in the archives for their own use as well.
- Have you defined the extraction or cleaning process?So, your data has been returned to you at the end of the contract, but how can you be sure one or more copies are not floating around the vendor and/or its subcontractor's data centers? Spell out in the contract how your data will be scrubbed from all data centers it was stored in and demand verification that the cleaning procedure actually works before you sign the contract.
- Have you prohibited data mining? You may be perfectly comfortable with a vendor aggregating your data with that of other customers to do analysis and make performance reports but unless you get real specific with the permissions language, you may have also granted them to right to mine your data for business prospects, customer contact information, and other information you didn't mean to share. Further, such could make your company legally liable for privacy infractions.
And so I ask again: who owns your data, really?