Tag Archives: third party data

What is first, second and third-party data and how is it affected by GDPR?

Published / by Simon Foster

First party data is data that your organisation has collected and owns about your customers. It is information that has been gathered in the course of your direct relationship with your customers. They key here is that your organisation is the owner of this data; this is your database of your leads, your enquiries, your customers, your subscribers or your members. This data may combine demographic, transactional and media source information.  It can also be used to report business and marketing performance – transactions per hour, day, week or month. First party data is the source of lifetime value information such as revenue, purchase frequency and evolving customer value.  This type of transactional data can be analysed to predict next likely behaviours based on past purchase behaviour patterns.

Second party data is data you share with a known and named partner. For example, if you are a hotel group you might exchange data with an airline to improve your targeting models;  might add data (sometimes called appending or augmenting) from its airline partner to improve its targeting model. The appended airline data might reveal that a customer always travels business class by air but always books an economy room thus presenting an opportunity for cross-sell. The data added by this cross-party transfer improves the level of insight that can be generated about a given customer and presents commercial opportunities on both sides. This data sharing is enables by the consumer if they tick a data sharing box in a permission request.

Third party data is data that does not belong to you but can be bought or used by you to improve insight or targeting. This is usually sold by third party data suppliers such as Acxiom or Experian. This data has been sourced directly from the consumer and permissioned through an opt-in. Third party data is often used in “matching” projects where a first party database is matched to a third-party database (like the way second party data is used in the scenario above) which can add incremental information to that already held by the first party data owner. So, for example, if you are a retailer of clothing you might want to match your database to a database of clothing purchasing habits to target consumers with products which appear to be relevant to the third consumer base.

Impact of GDPR on first, second and third party data

The General Data Protection Regulations (GDPR) will affect all three types of data and all the companies who are storing and managing that data. Companies holding first party data will need to make sure that their data is properly stored, consented, encrypted and secured in order to meet the regulations. And whilst there is a strong onus on first party data holders to comply with GDPR they, as the data owners, are in a strong position to comply because they are in control of their own data, storage environments and protocols.

The real complications arise when we look at second and third-party data. As first party data is shared with second and third parties, the responsibilities of the first party data owner “stretch” as far as the data goes.  So, if a second or third party commits a breach involving your data, you may still be responsible, at least at joint level with the party you have shared to.

This means you will need to ensure that the way your data is used after being passed to a second or third party remains compliant all down the line. It may not suffice to have your partners sign an agreement saying they will manage the data in line with the requirements of GDPR. If they do not, you may still be liable.