Data Privacy by Design: Essential Things to Look for in a People Data Provider

As the business landscape becomes increasingly data-driven, people intelligence data has
evolved from a “nice to have” into a critical asset. From sales prospecting to talent
acquisition and strategic insight for mergers and acquisitions, decision-makers need to access
and leverage accurate, up-to-date insight about key executives, management teams, wealthy
individuals and industry experts to operate effectively and remain competitive in the
marketplace.

Of course, obtaining high-quality people intelligence data remains time-consuming and labor-
intensive, requiring stakeholders to navigate and analyze vast, fragmented, and often outdated
sources whilst having full regard for complex laws they may not fully understand. Companies
need third-party vendors that specialize in sourcing, curating, verifying, and delivering the
actionable people intelligence data they require.

However, not all vendors handle people data with the necessary legal compliance, ethics, and quality you would expect — potentially putting your company at risk if you partner with them and leaving you with substandard data of limited use.

Discover the key six questions you need to ask your people data provider to ensure that they are compliant with the law and to ensure that their processes and procurement of data do not pose repercussions for your organization.

Six key questions to ask a people data provider

With so much at risk for failing to uphold data privacy standards, it’s imperative for companies to not only ensure their own robust processes, but verify their partners are compliant as well. The
failure of a data provider to have sourced and shared the personal data lawfully is significant
risk for any business that receives and uses that data. But what sets a high-quality provider apart from one that can put you at risk — and how do you tell them apart?

Here are six crucial questions to ask during the vetting process:

1. What data privacy certifications and registrations do you have?

Data privacy and security standards are set by several key industry organizations that both
benchmark and certify compliance, holding important certifications like SOC II. Whilst not all companies will have such certifications, they should, in any event, be able to demonstrate their compliance with the principles therein.

Depending on jurisdictions, there are also critical registrations you should check. Companies
operating in, or sharing personal data on data subjects within the UK should have ICO (The
Information Commissioner’s Office) Registration which you can check by clicking here.

Companies operating in the US should be registered as a data broker with all applicable US
states. You can check a company’s Data Broker status by clicking here for California and here
for Texas. All other states are easy to find also with a quick Google search.

2. Do you follow global compliance standards?

The most impactful data privacy regulations (like Europe’s GDPR) don’t just apply to companies operating in a specific country—they apply to any company collecting data on their citizens and
where you share personal data with a company caught (even where you may not be).

Your people intelligence data provider should ideally operate in full compliance with data privacy
regulations across the world. You can check this by looking at their published privacy notice on
their website, but beware, some companies will state they are compliant but might actually not
be. Push them on how they demonstrate compliance if you are unsure and make sure that you
are comfortable that they are not ignoring a jurisdiction relevant to you.

3. How do you segregate your data?

Your people data provider should be able to demonstrate that they hold the data you provide to
them, completely separate from their company’s own in-house data and databases. Otherwise,
they could enrich their databases with your valuable information, potentially diluting competitive
advantages you might enjoy and even put you in breach of law in doing so.

Watch out for vendors that collect ‘anonymized’ customer data or have a license in their agreement which could allow them to use your data. Your data provider should hold your data entirely separately to their own and be able to return it or delete it at your request in a timely manner. Anonymized should mean exactly that – that they cannot reverse the anonymization or use that information coupled with other information to make it identifiable.

4. How do you acquire your data?

Vendors should be transparent about how and where they get their data from, both to prove its veracity as well as their regulatory compliance. They should only procure the data from well-
known, reputable, and ethical sources to avoid violating an individual’s privacy.

5. What are their AI data policies?

In addition to ethical and accuracy issues, AI also raises a number of data security concerns,
creating another point of vulnerability for cyberattacks, breaches, or exploitation. According to
Pew, 81% of Americans believe that the information companies collect with AI will be used in
ways people aren’t comfortable with. An additional 80% worry it will be used in ways that were
not originally intended. Vendors should spell out precisely what their policies are for AI data
collection and illustrate how they proactively address potential risks and concerns.

6. What resources do you invest in for data privacy and security?

Many companies claim a commitment to upholding strong data privacy standards, but tangible
resource allocation is the only way to make a difference. Look for people intelligence data
providers with roles specifically dedicated to data privacy compliance, or leaders with a strong
background in data privacy law. Do they even have a data privacy legal professional on their
team?

Addressing these six questions is a great place to start in the procurement process and will give
give you a clear idea of your potential provider’s level of sophistication in their practices. But why is all of this necessary to begin with?

As data becomes central to everyday business processes, companies that handle data face increasingly substantial risk if they don’t use it properly—both from regulators as well as the public.

The global shift in data privacy

The mass digitalization of society since the turn of the millennium has transformed daily life and
shifted the security priorities of consumers and governments alike. Now, data privacy is even
influencing international trade negotiations.

Just before the start of the decade, governments across the globe began developing their own
frameworks for data management standards to protect their citizens’ data privacy. Due to the
size of their economies, many of these regulations have had a global impact on how businesses
collect, use, and manage data. Some of the biggest advancements include:

• The European Union’s comprehensive General Data Protection Regulation (GDPR), defined by fierce advocacy for citizens’ data privacy and strict rules for companies and organizations to adhere to. The GDPR has become the global standard for companies to follow, regardless of where they’re based or conduct business and has far reaching jurisdictional implications that catch many companies, even if they do not have their principal place of business within Europe.
• The landmark California Consumer Privacy Act (CCPA) pioneered more robust data privacy rules and regulations for companies conducting business in the United States. More states have since followed suit with their own frameworks.
• The UK’s Data Protection Act and implementation of GDPR brings additional hurdles for companies caught.
• China’s Personal Information Protection Law, impacts any party conducting business in the world’s largest economy.

Countries worldwide are implementing complex laws and governance around data privacy and data protection regulations have given rise to an important business approach: data privacy by design. This prioritizes protecting personal data in every angle of business dealings rather than as an afterthought or an extra. Data privacy by design follows these seven principles:

1. Proactive, not reactive — protecting personal data prior to a problem occurring including preventing potential data privacy breaches
2. Default setting — data privacy is the default position and not something which the business needs to opt-in to
3. Embedded into system design
4. No tradeoffs between data privacy and data security with both being equally important and embedded
5. End-to-end security from the point that personal data is brought into the business to the point it is irretrievably deleted
6. Complete visibility and transparency of all processing throughout the system
7. User-centric, allowing users to set their own data privacy settings

The cost of data privacy violations

As data becomes central to everyday business processes, companies that handle data face increasingly substantial risk if they don’t use it properly—both from regulators as well as the public. This risk has a financial cost, but also, and perhaps more importantly for many companies, a reputational one also. The European Union has already levied billions of euros in fines since GDPR was established in 2018, with one ruling costing over €1.2 billion in 2023.

With so much attention on the dangers of data breaches, any mismanagement by a company can generate significant negative press, hurting your brand’s reputation—especially since many members of the public already have a negative opinion about corporate data collection. Pew Research found that 85% of Americans believe the risks of data collection outweigh the benefits. Data privacy violations—or even just the perceived risk—can have a chilling effect on revenue and brand reputation. 

What’s more, companies that violate data privacy regulations also risk losing hard-earned search engine rankings, hampering reputational and financial recovery after a fine.

A people data platform built from the ground up for privacy

As people intelligence data becomes increasingly valuable currency, many providers have entered the market to gather, analyze, and broker insight. Altrata has emerged as a world leader in people data, with a best-in-class approach to data privacy internationally.

A company built on the principles of data privacy by design, Altrata is SOC II certified and registered with the UK’s ICO, and data broker registrations in California, Oregon, Texas and Vermont. Altrata also employs a specialized legal team trained in data privacy.

Altrata takes a human led approach to research, leveraging specialists who carefully source and verify data without reliance on AI. The company partners with trusted and well-know reputational data providers, and ensures accurate, regulation-compliant, and ethical data collection underscored with appropriate contractual warranties and compliance checks.

What’s more, Altrata employs robust data segregation standards to ensure its client’s data does not enrich or infiltrate its’ own database in any way.

Want to learn why so many trust Altrata as their people data provider? Schedule a demo today.

---

Sally Hall serves as the General Counsel at Altrata and has over 15 years’ experience specializing in data protection law. She leads the Legal function and is responsible for Legal and Privacy support and compliance across both customers and suppliers. Prior to joining Altrata, Sally worked as a consultant lawyer for large organizations in a wide range of industry sectors including communications, investment banking and finance. Sally is a qualified practicing solicitor with a Masters in Advanced Legal Practice and a background in company commercial in-house counsel roles, with a particular specialism in data privacy law internationally.