Data is often a business's most valuable asset, yet it is the one most frequently left unprotected. Unlike a trademark or a patent, a dataset has no single registration that locks it down. A customer database, a curated price feed, a model's training set, a sensor archive: each can represent years of investment, and each is vulnerable to being copied, scraped or walked out of the door unless you have deliberately built protection around it.
Protection for data comes from a combination of rights and safeguards rather than a single certificate. Used together, the sui generis database right, copyright, trade secret protection and well-drafted contracts give you a defensible position. Used in isolation, each has gaps. The work is in assembling the right combination for the data that actually matters to you.
The EU sui generis database right is the starting point. It protects the substantial investment made in obtaining, verifying or presenting the contents of a database, independently of whether the data itself is original enough for copyright. A business that invests in compiling and maintaining a database can use this right to stop others extracting or reusing a substantial part of it. Copyright can additionally protect the original structure or selection of a database, and the software that runs on top of it.
Where the value lies in secrecy rather than in a register, trade secret protection applies. Confidential datasets, models, algorithms and know-how can be protected as trade secrets, but only if you take reasonable steps to keep them secret: access controls, confidentiality terms, and a clear internal understanding of what is confidential. Lose the secrecy and you lose the right. In practice, the strongest and most flexible protection is contractual: access and use restrictions, confidentiality obligations, and a clear allocation of who owns the data created, enriched or derived in a collaboration.
Three gaps recur. The first is ownership in collaborations: when two parties combine data, or a supplier processes and enriches a client's data, the contract is often silent on who owns the result, and the default position is rarely the one either party assumed. The second is employee and contractor leakage, where datasets leave with people because confidentiality and return-of-materials terms were thin. The third is scraping and reuse by third parties, where the absence of clear terms of use and technical controls makes the database right harder to enforce. Each of these is avoidable with planning.
Protecting data sits in the Protect stage of our 360 method, within the Data, Data Protection and AI focus area. It works hand in hand with our data processing agreements and DPO as a Service on the compliance side, and it is the foundation for data licensing and data sharing once you want to commercialise that data. It mirrors, on the data side, the way we protect trademarks and patents on the IP side. The background reading sits in the Knowledge Base on data retention and records of processing, and the structured record of what data you hold is maintained through our Privacy Register technology.
We map the data you hold and identify which rights and safeguards apply to each dataset, put the confidentiality and access framework in place, and lock down ownership in your contracts before the data is shared, licensed or processed by anyone else. Where data is already out in the open, we advise on enforcing the database right and trade secret protection against extraction and misuse.
There is no single property right in raw data as such, which surprises many businesses. What you can own and control is the database right in a compiled dataset, copyright in its structure or software, trade secret protection in confidential data, and contractual rights over how others use it. The practical answer is to build ownership and control through those tools rather than to assume the data is simply yours.
It is an EU right that protects the substantial investment in obtaining, verifying or presenting the contents of a database. It lets you prevent the extraction or reuse of a substantial part of the database, and it exists independently of any copyright in the underlying data.
Through the contract. A data-sharing or licensing agreement should define what may be done with the data, for how long, who owns anything derived from it, and what happens on termination, backed by confidentiality and security obligations. We cover this in data licensing and data sharing.
They are related but distinct. Database rights and trade secrets protect the data as an asset; the GDPR governs personal data as a compliance matter. Where a dataset contains personal data, both apply, which is why this work runs alongside our data processing agreements and DPO service.
%402x.svg){kind=icon}
%402x.svg){kind=icon}
%402x.svg){kind=small}