Why managing data is essential to securing a successful university spin-out

In 2024 the spin-out sector raised £2.9 billion in venture capital funding - almost a fifth of VC spend on UK companies – with more than 2500 spin-outs now registered in the country.

But with increased attention and engagement has come greater transactions in other, unexpected fields – and while the headlines and governance may focus on the equity and intellectual property aspects of spin-out investment, the data transfer involved is becoming just as important.

Beyond the monetised IP itself, spin-outs often need to rely on a large amount of accrued data gathered during the creation process – from student datasets and student code bases to participant data, particularly in relation to clinical and life science research.

Who governs what?

Ownership and governance of that data can be complicated. Often, much of it was generated before an entity was spun-out and it existed within the confines of the university. The ownership of that data, during the transfer from academic project to commercial venture, may not be documented or governed in the same manner and there may be a lack of clarity on how that data can be used.

This can generate problems as the spin-out is incorporated and the spin-out wants to use that data. Similarly, staff can often be working simultaneously for the spin-out and academic body, which may create issues around lack of clarity about how data is being used, by whom, for what purpose and governance.

Data governance and oversight systems in higher education may not be geared up to manage the movement of data to a spin-out company, which may often happen on an informal basis through shared drives and cloud services. This could result in a breach of legal or contractual obligations including funders’ or collaborators’ requirements.

Understanding what the status is of the spin-out with regard to any personal data it is using that was generated through research undertaken at the university where it spun-out from is essential, especially whether it acts as data controller or processor. The former is responsible for determining the purpose and means of processing personal data, and has the power to make decisions over that data’s application. Processors, meanwhile, do not have such authority and can only act on the instructions of the controller.

Who takes responsibility for the use of both personal and other data – particularly in clinical situations – can therefore be an essential aspect of ownership chains when creating the spin-out, and ensuring that the commercial project is not falling foul of applicable laws and regulations.

Some aspects of the data that a spin-out is to use may not fall within the parameters of the IP the spin-out is licenced to use under the usual form of IP licence. Therefore, a careful audit of what data the spin out needs to use and whether this right of use can be granted needs careful consideration and to be documented as part of the spin-out deal.

Alongside the ownership and use issues come another significant concern – cyber security. Particularly for spin-out ventures in areas where data accrued may be sensitive, such as health and life sciences, ensuring data security is suitably enforced is an essential part of being its controller, especially with ownership and transfer chains to consider.

The requirements around safe management, handling and security of data, however, may be overlooked as part of the spin-out deal with a focus on the rights in intellectual property (IP) to be granted to the spin-out. Being able to safely and securely manage these issues will underline good management processes on a spin-out venture.

Why it matters

From the perspective of investors, clean and established ownership and governance chains around data are essential in ensuring the investment is future-proofed, both from potential litigation and in ensuring the spin-out has the necessary rights to succeed commercially.

Early-stage investors increasingly look for clear answers, and will make clear their challenges, towards data protection and management issues, including provenance of the datasets and the compliance history when it comes to GDPR.

Alongside this comes the potential reuse of the datasets for other ventures – such as AI training and product / service improvement – meaning having those clear lines of understanding is essential. Failure to do so can cause significant challenges to spin-outs, exposing them to enforcement risks for potential data security and GDPR breaches and any associated remediation that generates.

Uncertainty over the data’s provenance can delay funding rounds until it can be clearly established – and those delays, and uncertainty, will have a knock-on effect on the valuation of a venture going forward. Transparency for data-driven initiatives is increasingly reflected in spin-outs’ success as the UK market continues to grow.

Treat data as a first‑class asset

Spin-out preparation should include a practical framework to ensure the data captured within a project is as much an asset to the venture as the IP itself.

As such, before a spin-out is incorporated, ventures should begin by

• data mapping alongside IP audits;
• identifying personal vs non‑personal data to establish controller and ownership liabilities; and
• confirming any funder constraints on how or where data accrued may be used in the future

During the spin-out, it is essential to ensure that all licences and agreements are explicitly in place relating to data which may be used, with ownership and understanding of processing roles agreed. Establishing a clear exit from the university’s own IT environments to ensure a smooth, and secure, transition to the commercial operation is also an essential step.

Finally, once the spin-out has launched, it is important to ensure that alongside IP transfers, data transferral is documented and has independent security controls in place, with clear definitions of who has what role and responsibility going forward. Access controls for academic founders must also be in place, to restrict or manage what access outside the spin-out is needed.

For universities preparing spin-outs, it is vital for them to consider if updates are needed to their policies and spin-out documentation to address data, alongside IP. This may involve having clear documentation on how data transfers will be managed. Data protection teams should be brought in at the earliest stage, to get expert insight to ensure a smooth, safe transfer process.