Protecting confidential consumer and corporate data is a critical priority for most companies. We suspect, however, that most are not applying that same protection to their supplier data, leaving supply chains and businesses vulnerable – especially when operating in developing countries. With increasingly common data security breaches, discussions of data sovereignty, and more privacy regulations such as the EU’s General Data Protection Regulation (GDPR), companies face new challenges when it comes to their sustainability data. 

Plus, many companies may be leaving value on the table. While they mine their consumer data for insights, they are missing opportunities with common supplier data. In the agri-food sector, farmer-producers offer important insights for business decision-making when they provide their business data or respond to surveys for personal information such as working conditions, management of resources and inputs, income, gender, etc.  

Whether supply chain data is gathered in-house or by a third party, businesses are accountable and should have a sound structure of privacy and security management that begins with data collection and covers how data is shared, analyzed, visualized, and stored. Doing so can not only build trust with producer-suppliers but also advance your competitive ability, getting ahead of the curve and being prepared for the next data frontier that includes data ownership, value, and limits to sharing. Here are three key areas that your firm – or institution – should not overlook. 


Covering data from start to finish

Until recently, basic information about suppliers and supply chains has been treated with somewhat looser protocols because few would be aware of breaches or complain about their data use. We face a fast-changing landscape of internet connectivity and an emerging and more inclusive understanding of rights[1]. So it is becoming necessary to manage this supplier data with the same level of confidentiality and protection protocols as consumer data. This includes not only basic supplier data but also data that comes through monitoring and evaluation (M&E), training activities, traceability, or research studies. 

A good organizational data strategy should encompass the data path from start to finish. It can then serve as the backbone of a solid data policy that addresses these key issues: 

  1. Clarifying the objectives and intention
  2. Describing the range of uses 
  3. Elaborating the means of getting data and the processes and parameters for securing, analyzing, sharing, and later disposing data. 

A data privacy and security policy is a necessary step, offering clarity and guidance. It should include procedures for three areas of greatest risk.

  1. Collecting data. Privacy practices start with permission-based data collection. Once data is collected it should be effectively anonymized to remove all necessary identifying information, so that it does not reveal identities or privileged information. Data should be immediately encrypted and marked as restricted, ideally before cleaning and analyzing it. At COSA, we replace sensitive data such as farmer names, contact info, locations (GPS), buyer/client, etc. with alphanumeric codes when needed.

  2. Sharing (transmitting) data with appropriate persons or entities depends on the kind of data system in use. Popular Excel spreadsheets have the benefit of relative economy compared to digital systems but the risks related to transmitting unencrypted personal and confidential data are high. They go up when documents can be conveyed as email attachments. Such data should be handled with the same security precautions as any personally identifiable information (PII) such as employee dates of birth, social security or national identity numbers, etc.A better option is uploading files directly to a secure data storage site or platform in a private environment, with password and user authentication, to protect data and minimize unsafe transit between networks. COSA surveys, for example, are conducted using digital devices from which data is transmitted to a secure site, with controlled user access and stringent security protocols including restricting access to certain IPs or geographical locations (geo-fencing). Web applications or sites used by a business to store or transmit supply chain data should implement, at a minimum, client-server encryption through SSL certificates. The risk of not doing so can leave an organization vulnerable to data interception.
  3. Storing data. Whether internal staff or a 3rd party is managing that for you, ensure that data is encrypted in storage, to prevent data leakage or unauthorized access. Access to the server and database should be strictly limited to appropriate staff or users, and all access documented. Established protocols and best practices for data retention and disposal, disaster recovery, audits, and incident responses should all be part of any data management plan. 

On the horizon: ownership and value of shared data

According to UNCTAD,[2] 66% of the world’s nations have enacted privacy legislation, and another 10% are in the process of doing so. They are driven, understandably, by increased commercial and social activity online, and both the willing and unwilling sharing of personal data. Concerns about data ownership will soon affect how data about sustainability and about suppliers, such as farmers, is managed. 

In the past, commissioning data made it your own. Studies are emerging that question that. One recently published in the well-regarded Wageningen Journal of Life Sciences,[3] documents farmer concerns about not just their privacy, but who gets to use their data. Further, the authors suggest that lack of transparency with regard to use, ownership, privacy and other data issues are making farmers wary and less willing to share data. At the center of the issue, they offer, is “the lack of trust between the farmers as data contributors, and those third parties who collect, aggregate and share their data.” 

These issues are part of current discourse, in progress globally. 

Data democracy is an emerging concept that addresses a key ethical issue about the use and value of farm and farmer data. COSA holds that in most cases those who provide or are the subjects of the data (i.e., farmers or cooperatives) have some rights to the benefits of that data. This can include commercial benefit or, more commonly, some analyzed feedback in the form of advice or benchmarking, for example, when informing a farmer that their pesticide costs are x% higher/lower than the average in their region. Farmers can make better decisions when they are informed by useful knowledge. They become more proactive partners in projects and supply chains when they understand the data, because they are often best placed to drive the locally appropriate solutions to sustainability problems that data can inform.

Incorporating some level of basic feedback to farmers or their cooperatives is not that difficult. One-way flows of data from farmer to organizations can, with mobile technology, easily be reconfigured to bilateral or even multi-lateral exchanges of simple feedback. Increasingly smart data systems can tailor data to help farmers to optimize efficiencies or make better economic decisions based on their specific, individual situations rather than generic guidelines. 

A new World Bank report affirms the value of ‘largely untapped’ data for advancing development objectives.[4] “Realizing data’s full value,” the report states, “entails repeatedly reusing and repurposing data in creative ways to promote economic and social development.” 

Data governance and data policies will increasingly affect those who work with farmers and suppliers. Protecting it is just the first step. Starting to treat it as a strategic asset is the next step on the path to accelerating sustainability. 


[1]One more reason to pay attention: Data sovereignty refers to the concept that the data an organization collects, stores, and processes is subject to the nation’s laws and general best practices where it is physically located. [source:]


[3]Farmers and their data: An examination of farmers’ reluctance to share their data through the lens of the laws impacting smart farming

[4]World Bank. 2021. World Development Report 2021: Data for Better Lives. Washington, DC: World Bank. doi:10.1596/978-1-4648-1600-0. License: Creative Commons Attribution CC BY 3.0 IGO