ARTICLE
22 October 2024

Data As An Asset

E
ENS

Contributor

ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
In today's digital economy, data has emerged as a cornerstone asset for businesses, fundamentally shaping how organisations operate and innovate.
South Africa Privacy

In today's digital economy, data has emerged as a cornerstone asset for businesses, fundamentally shaping how organisations operate and innovate. This article delves into the multifaceted nature of data as an asset, exploring its immense value, the potential for monetisation, and the critical legal considerations that come into play, particularly in light of evolving data privacy legislation. Companies like Google and Meta exemplify how data drives revenue through targeted advertising and personalised services, underscoring its role as a vital resource. However, as the demand for data monetisation grows, so too does the need for compliance with laws designed to protect personal information. We will examine the nuances of data as an asset, the ethical and legal frameworks governing its sale, and best practices for navigating the complex landscape of data privacy in the article below.

Is Data considered an Asset?

Data is undoubtedly one of the most valuable asses a company can have. In fact, companies like Google and Meta exist because of their data assets. The value of their data lies in their ability to generate revenue through targeted advertising, which is heavily fuelled by data-driven insights.

Data's value comes from its ability to inform decision-making, enhance customer relationships and help businesses identify trends, customer preferences, and market opportunities. Analysing data can also streamline processes, reduce costs, and improve overall efficiency. Companies that effectively leverage data can gain a competitive edge by optimising operations, personalising customer experiences, and innovating products or services.

Can Data be sold as an Asset?

Data can be monetised in various ways, such as selling insights, targeted advertising, or enhancing products and services. However, the sale of data, especially personal data, requires compliance with data privacy laws. While companies may sell aggregated, anonymised data that does not identify individuals, selling personal data involves significant legal and ethical considerations.

Considerations under POPIA

POPIA aims to protect personal information processed by public and private bodies. Here are some key considerations for companies to consider when looking to sell data:

  • Consent

Companies must generally obtain explicit consent from individuals before processing their personal data (unless other grounds for processing exist). This consent must be informed and specific to the intended use, including any potential sale. Privacy notices sometimes contain a provision informing data subjects that the company may transfer personal information in the event of a sale of business/assets. It may even specifically state that the company may sell data assets. Whether this type of notice (hidden in Ts&Cs) constitutes explicit and informed consent is questionable. The question is therefore whether the company can rely on any of the other grounds for processing, such as legitimate interest.

  • Purpose Limitation

Personal data must be collected for a specific, explicitly defined purpose and may not be processed for a purpose that is not compatible with the purpose for which it was collected. In the circumstances, explicit consent would be required for further processing (unless the data subject was informed, at the time of collection, that his/her data is to be sold). Legitimate interest cannot be used as a ground for further processing.

To reduce privacy risks, companies should consider anonymising or aggregating data before any sale. This helps to ensure that individuals cannot be re-identified from the data set.

  • Security Measures

Companies must implement appropriate security measures to protect personal data from unauthorised access or breaches. If data is sold to third parties, companies should ensure that contracts include clauses requiring those parties to comply with POPIA and to handle personal data appropriately.

  • Transparency and Accountability

Companies must be transparent about their data practices. This includes providing clear information to individuals about how their data will be used, stored, and potentially sold.

  • Data Subject Rights

Under POPIA, individuals have several rights, including the right to access their personal information, the right to correction, and the right to object to processing. Companies must have processes in place to address and manage these rights.

While data can be a valuable asset that can be monetised, companies must navigate the complexities of data privacy laws. Robust data governance frameworks must be established and appropriate legal advice should be sought when considering the monetisation of data to ensure adherence to privacy laws and ethical standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More