Data Commercialisation and Licensing
IP, data protection and confidentiality for data assets
Data commercialisation involves three overlapping legal frameworks: intellectual property (copyright in content and database rights), data protection (where the dataset contains personal data), and confidentiality (protecting proprietary information and trade secrets). Telecoms operators, payment processors and technology businesses hold datasets with commercial value. A well-drafted data licence addresses all three layers. IP licensing establishes what the licensee can do with the content and the database as a whole. Data protection compliance under UK GDPR governs how personal data within the dataset is processed. Confidentiality provisions protect proprietary methodologies, algorithms and commercially sensitive information that the licence makes accessible. Most data licensing agreements address one layer and ignore the other two.
Why data commercialisation matters now
Three regulatory shifts. First, the ICO has become active on data commercialisation. In 2022-2023, the ICO issued enforcement notices against data brokers for failing to establish a lawful basis for trading personal data and failing to conduct DPIAs. The ICO’s position is clear: a data licence is a processing arrangement, and both parties must satisfy compliance from the outset.
Second, the FCA has begun to scrutinise how payment services providers use transaction data. PSD2 restrictions apply to payment transaction data. The emerging Commercial VRP framework introduces further constraints.
Third, for telecoms operators, the interaction between PECR and UK GDPR has been clarified. Location data requires explicit consent under PECR regulation 14 before it can be used for value-added services. Most operators hold the consent but fail to carry it through to the licence agreement, so the licensee operates without a lawful basis.
Where clients get it wrong
Six recurring mistakes. First, treating data commercialisation as a single legal problem. Some clients draft a pure IP licence that ignores data protection. Others focus entirely on UK GDPR compliance and fail to address the IP rights in the dataset (copyright in content, database rights under the Copyright and Rights in Databases Regulations 1997, or sui generis database right). Both approaches leave gaps. The licence must establish the IP rights being granted, the data protection framework for any personal data, and confidentiality protections for proprietary information.
Second, conflating anonymisation with pseudonymisation. The ICO’s guidance is clear: if there is any realistic possibility of re-identifying individuals, the data remains personal data. We regularly see clients licence “anonymised” data that can be re-identified by cross-referencing with publicly available datasets.
Third, failing to conduct a DPIA before the licence is signed. Data commercialisation often triggers the DPIA threshold. If the ICO later investigates, absence of a DPIA is treated as evidence of negligence.
Fourth, relying on legitimate interests under Article 6(1)(f) without conducting the balancing test. A privacy notice saying “we will use your data to provide telecoms services” does not support selling the data to a third-party marketer.
Fifth, failing to address PECR for telecoms data. PECR regulation 14 requires explicit prior consent for location data used in value-added services. If an operator has collected location data for internal network management and wants to licence it to a mapping service, fresh consent is needed.
| Common issue | Better approach |
|---|---|
| Treating as a single legal problem | Addressing all three layers: IP, data protection and confidentiality |
| Confusing anonymisation with pseudonymisation | Honest anonymisation assessment with documented methodology |
| Skipping DPIAs for commercialisation activities | DPIA completed before any data sharing arrangement |
| Relying on legitimate interests without balancing test | Documented balancing test with evidence of data subject expectations |
| Ignoring PECR for telecoms location data | Explicit fresh consent under PECR regulation 14 where required |
| No audit rights over downstream data use | Contractual audit rights with breach remedies |
What good looks like
A well-drafted data commercialisation agreement addresses all three legal layers. On IP, it identifies the rights being licensed (copyright, database right, or both), the scope of the licence (territory, duration, exclusivity, permitted uses), and any restrictions on derivative works or onward licensing. On data protection, it establishes the lawful basis clearly, addresses anonymisation honestly, specifies controller/processor relationships with precision, addresses data subject rights, requires a DPIA where processing is high-risk, and addresses sector-specific restrictions for telecoms data (PECR), payment data (FCA requirements) and technology platform data (AI training). On confidentiality, it protects proprietary methodologies, trade secrets and commercially sensitive information with appropriate restrictions, audit rights and remedies for breach.
Bratby Law helps clients structure data commercialisation deals that work across all three layers. We advise on IP rights identification and licensing structure, conduct lawful basis analysis under UK GDPR, review consent coverage, advise on DPIA requirements, and draft confidentiality provisions that protect proprietary information while enabling the commercial purpose of the licence.
How Bratby Law helps
We advise licensors and licensees on data commercialisation across telecoms, payments and technology sectors. We cover all three legal layers: IP licensing (identifying and structuring rights in content and databases, including sui generis database right), data protection (lawful basis analysis, consent review, DPIA requirements, controller/processor structuring), and confidentiality (protecting proprietary information, trade secrets and commercially sensitive methodologies). We advise on PECR restrictions for telecoms data and FCA requirements for payment data.
Frequently asked questions
Can we licence customer data if we collected it for a different purpose?
Only if the new purpose is compatible with the original purpose under UK GDPR Article 5(1)(b). A privacy notice saying “we collect data to provide telecoms services” is unlikely to support licensing to a marketing analytics firm. You should obtain fresh consent or rely on legitimate interests with a documented balancing test.
Do we need a DPIA before we licence data?
A DPIA is required if processing involves large-scale processing of special category data or poses high risk to data subject rights. Data commercialisation often triggers the threshold. Commission a DPIA before signing a licence. If in doubt, err on the side of conducting one.
What is the difference between anonymisation and pseudonymisation?
Anonymisation means data cannot be attributed to a specific person. Pseudonymisation means identifiers have been removed but re-identification is possible with additional information. Pseudonymised data remains personal data under UK GDPR. If a data provider says the data is “anonymised”, ask for evidence of the methodology and re-identification testing.
Can we licence location data from a telecoms network?
Only with explicit consent from data subjects for that use. PECR regulation 14 requires explicit prior consent for location data used in value-added services. Collection for internal network management does not extend to third-party licensing. Fresh consent is required.
What rights should a data licensor reserve?
The right to audit the licensee’s compliance; require deletion if the licensee breaches terms; restrict further processing or sub-licensing; and terminate if the licensee creates regulatory risk. If relying on legitimate interests, reserve the right to terminate if the balancing test changes.
What IP rights exist in a dataset?
Three potential rights. Copyright may subsist in the individual content items (text, images, code) and in the arrangement or selection of the dataset as a literary work. Database right under the Copyright and Rights in Databases Regulations 1997 protects databases where there has been substantial investment in obtaining, verifying or presenting the contents. Confidential information protection applies to proprietary methodologies, algorithms and trade secrets, enforceable through contractual confidentiality provisions. A well-drafted licence addresses all applicable rights and specifies the scope of grant for each.
How do we protect proprietary information in a data licence?
Confidentiality provisions in the licence should define what constitutes proprietary information, restrict use to the licensed purpose, impose obligations on the licensee’s employees and sub-contractors, require return or destruction on termination, and provide for injunctive relief in addition to damages. Where the dataset reveals proprietary methodologies or algorithms, consider whether the licence should restrict reverse engineering or decompilation.
Related transactions pages
See also our other transactions pages:
- Mergers and Acquisitions
- Private Equity
- SaaS and Cloud Services
- Subsea Cables
- MVNOs and MVNEs
- Interconnection, Peering and Access Agreements
- Network Sharing and Co-location Agreements
- Digital Infrastructure Projects
- NSIA Clearances
Independent directory rankings
Our specialist expertise is recognised in major independent legal directories:
- Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
- The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
- Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology
