This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this fourth article, we’ll provide a look at the role data ethics plays in a culture of privacy. Find the first three articles in the series here.
“In civilized life, law floats on a sea of ethics,” former U.S. Supreme Court Chief Justice Earl Warren said, but we know privacy laws haven’t kept pace with technological advancements and the evolution of the data economy. In many areas and industries across the globe, there are few rules around what businesses can do with personal information. In a culture of privacy, this is where we consider how to incorporate ethics into our overall privacy program.
What are data ethics?
Potter Stewart, associate justice of the U.S. Supreme Court,once said, “Ethics is knowing the difference between what you have the right to do and what is right to do.” While Stewart didn’t have a crystal ball to see how unfettered access to data via the internet would transform our world, the words strike a fresh chord in today’s data-driven society. Just because you can engage in a processing activity doesn’t mean you should.
Every human being has their own idea of what constitutes an overreach that violates their privacy, which makes “doing the right thing” very difficult. To quote Eli Noam, “[P]rivacy is an issue of control over information flows, with a much greater inherent complexity than a conventional ‘consumers versus business,’ or ‘citizens versus the state’ analysis suggests.” For example, say an online retailer uses personal information it collects to infer that a woman is pregnant and sends her a coupon for a discount on diapers, many people would see this as a benefit to the woman; others may see the inference as a privacy violation. And what if instead of a discount, that retailer raised the price of diapers $2 based on the inference? I think we can all agree, while this may be legal, it’s not cool.
These are the decisions organizations are making about how they use data every day. Data ethics means looking at your available options and making decisions that consider the kind of relationship you want to have with the people whose personal information you hold.
In the U.S., organizations regulated by the Federal Trade Commission should be aware of its power to regulate “unfair or deceptive trade practices” as granted under the FTC Act. These powers have been used to set a standard that goes beyond strict black-letter law to broader principles of what can be considered unfair or deceptive. Similarly, principles in the EU General Data Protection Regulation’s Article 5 and Australian Privacy Principles, among others, provide an ethical standard of conduct with some ability to develop an approach that fits your specific circumstances.
The challenge with these standards is they’re difficult to quantify. In many cases, these concepts come down to a feeling — much like Potter said when trying to determine a threshold for obscenity, you know it when you see it. So, while these regulatory efforts provide some guardrails, the challenge of interpreting an amorphous concept like “fairness” into an actionable plan remains.
The benefits of data ethics
The conversation around contact tracing apps amid the COVID-19 pandemic has put a magnifying glass on the complexity of data ethics and is showing us how important it is to clearly define rules around notice, use, disclosure and retention of personal information from an ethical perspective. It’s likely that contact tracing for COVID-19 can provide enormous societal benefits, but many individuals are hesitant to give free rein over their data to the organizations and governments in control of the technology. Data sharing is about trust, and trust is earned.
Here are a few things we know:
- People stick with organizations that handle their data in line with their expectations and protect it appropriately.
- People respond negatively to the so-called “creepy factor” we hear about so often at privacy conferences.
- People want to be offered the tools to control how their data is used and shared (whether or not they use them).
- Laws are moving toward giving individuals more control over their data.
By incorporating ethical considerations into your decision-making, you can boost and retain consumer trust, use privacy as a differentiator in the marketplace and be better prepared for future privacy regulation by preemptively implementing processes and controls. However, finding the right balance between business needs like short-term revenue and building a relationship of trust with users is essential.
Embedding data ethics in your organization
In theory, data ethics seems like it should be pretty easy: Don’t do creepy stuff with people’s information, and don’t charge the pregnant lady $2 more for diapers. But data ethics don’t exist in a vacuum. An organization’s posture around handling data needs to balance the needs, objectives and obligations of the organization with the expectations and wishes of the individuals whose data they hold.
So, where do you begin?
Understand your ecosystem
We can’t state this enough: The first step in any privacy-related function should be to understand what your current data flows look like. Getting a baseline on your practices will allow you to see what’s important to your business model and find the low-hanging fruit that can give you some early successes. Say you’re collecting information that no one in your organization actually uses — eliminating the collection of that data element is a quick and easy privacy win.
You also need to understand your users. What are their expectations regarding how you handle their data? How do they expect to interact with your product? How much control do they expect to have over their privacy preferences?
Understanding and meeting your users’ expectations will help build the trust necessary for them to want to continue engaging with your product.
Use the FIPPs
The Fair Information Practice Principles provide a solid platform on which you can build your data ethics framework. Its principles of collection limitation, data quality, purpose specification, use limitation, openness, security safeguards, individual participation and accountability provide excellent guideposts for your data ethics conversations. Tackling each of these topic areas and defining what they mean and how they relate to your organization will help you align your practices with more expansive concepts like fairness and the EU General Data Protection Regulation’s privacy by design, as well as provide an additional dimension to your organizational decision-making.
Take openness, for example. Lots of laws require you to have an accurate privacy notice, but as is widely acknowledged, nobody reads those things. It may be legal to bury your less-than-exemplary data handling practices in a privacy notice that no one reads (hey, you told them, right?), but if you want to garner loyalty and trust in your customer base, that’s not the best way. Instead, think about the ways people interact with your organization and provide notice in ways that make sense in that context.
You’ll end up with more knowledgeable users who make more informed privacy decisions and will be more likely to trust you with their data. Plus, this is a great way to show regulators you’re paying attention to privacy.
Rely on existing controls
Often data ethics will take the form of extending the regulatory requirements applied to some areas of your business throughout the entirety of your business. For example, providing data access rights to individuals is required in some jurisdictions, but businesses may make the decision to extend those rights to all individuals whose data they hold. Not only does this achieve a higher ethical bar, but it also allows the organization to streamline privacy operations and provide a consistent experience to customers.
Data ethics means playing the long game
Ethics should be one of the core components of your business’s decision-making process, right alongside legal, contractual and business concerns. It can be a tough sell internally because it may involve trading in short-term goals for long-term benefits. But implementing ethical standards around data handling will help breed customer trust and loyalty, establish a platform for future regulatory success and give you a story to showcase your program to a range of stakeholders. After all, who wants to tout their success in doing the minimum, right?
Photo by La-Rel Easter on Unsplash