Originally published on New Cannabis Ventures
Buyer Beware: Where Does Your Seed-to-Sale Data Go?
Data security is one of the most important topics across all major industries and the emerging cannabis industry is no different. If recent events have taught us anything, it is how crucial it is to protect client data and implement security processes to mitigate the risk of intrusion, data theft or even worse complete data loss. Traditional industries have the benefit of experience and mature regulations that help enforce fail proofs. The cannabis industry on the other hand is still largely unregulated and protocols for data security are even scarcer, leaving it up to the industry to self-regulate.
Humor me for a minute and let us assume that all software providers are disciplined and leverage data security best practices. How can you be assured that your data is not being shared or sold to third parties without your knowledge or consent? In an ever evolving technology driven world where API integrations are as valuable as gold, ask yourself how does your service provider manage your data. To understand thismore clearly, let us dive deeper into the technology.
What Is API?
API stands for Application Programming Interface and it allows two independent software platforms to communicate with each other. Think of an API as a bridge between the two platforms. Having an API means you have the infrastructure, but for the two platforms to communicate, we need to build API calls to manage the data. Think of API calls as the traffic laws on the bridge for sending data back and forth between multiple platforms. Access to the bridge is governed by API keys that are issued from each side of the bridge. The API key identifies who you are and what access you have on the bridge, like a toll pass.
Benefits of API
There are likely infinite use cases of API’s in the cannabis industry and as more industry solutions emerge there are even more opportunities for collaboration resulting in benefits to operators. Here are a few examples that exist today.
- Compliance Data Management: Many states and regulatory bodies leverage centralized compliance tools to collect data from licensees. Metrc is the service provider in Oregon and Coloardo. BioTrackTHC in Washington. California is in the process of selecting their vendor. These tools are great for regulators to manage licensees, but fall short for operators who require a more intuitive solution that integrates seamlessly into the operational flow. By leveraging APIs, service providers that are focused on operators collect the necessary compliance data and feed it into the state system, providing licensees an alternative for managing compliance data.
- Supply Chain Automation: Most service providers focus on niche aspects of the value chain, be it cultivation, manufacturing, distribution or retail. However, most operators will have requirements that touch functions across the entire value chain. API integrations allow operators to choose the best solution for each area of their business and have their data flow consistently across each tool. For example, a cultivator may use one tool to manage their production and another tool to manage their customers and orders. If those two systems are integrated through an API, data like lab test results or LOT information can carry forward automatically without the user inputting data twice, saving time and providing a powerful user experience.
- Benchmarking & Analytics: Not unique to the cannabis industry, knowledge is power. Over the last few years, a number of providers have emerged who aggregate data from operators across the industry and offer business intelligence that empower operators to make better decisions. Like most things in life, the quality of the output is only as valuable as the quality of the input. API integration allows operators to send their data to these third party platforms and receive comparison insights, however, the value of these insights is based on the integrity and scale of the data collected, which is often a significant issue.
It all sounds really great, right? Regrettably, we are seeing some troubling trends in the cannabis industry with horror stories of service providers providing full, personally identifiable data to third party platforms without the consent of their clients. Until cannabis regulations catch up to more traditional industries (e.g., retail, banking, etc.), it is a buyer beware market in the cannabis industry. That being said, there are steps operators can take to protect themselves.
- Ask The Tough Questions: It is critical that you ask any software provider you are contemplating what their data security and ownership protocols are, especially during these times of regulatory ambiguity. Ensure your search includes multiple service providers and see how they compare with their data security and ownership responses.
- Make Data Security and Ownership a Priority: Too often we see operators focused solely on cost or product functionality, but completely disregard the value of their core asset: the data. Only you will know just how valuable the data is, but at a minimum in this highly controlled cannabis industry, you can be assured that data security is high on the list for regulators.
- Read Your License Agreement: Your software license agreement is one of your only protections against the unauthorized use of your data, which makes it all the more important to read the agreement and ensure there is adequate language regarding the ownership and use of data. If the language does not reflect your intentions or is omitted completely, hold the service provider accountable.
As seed-to-sale providers constantly receive requests by third parties to access client data, we implore the industry to adopt the philosophy of empowering clients with powerful tools to manage their data and control who gets access. By working with third parties to build API calls, seed-to-sale providers lay out the bridge to allow for communication between two platforms, but should ultimately provide complete control to the client to open the gates and grant access to third parties. As the industry continues to evolve and data becomes more valuable, data monetization will become a key concern, making it that much more important to have precise clarity on data ownership up front.