Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

July 2019
As companies move past the privacy controversies, ethics becomes a differentiator.

By Karen Schuler
A YEAR INTO THE EU’s General Data Protection Regulation (GDPR), and with the California Consumer Privacy Act (CCPA) looming, the era of indiscriminate collection and manipulation of personal data is coming to a close in the United States. The public outcry from big-headline data breaches and scandals has forced regulators’ hands around the world, and even tech giants like Microsoft, Apple and Google are pushing for a U.S. law to mirror the GDPR.
     While companies and regulators continue to work out how personal data can be used, a parallel conversation has emerged about how it  should be used. This consideration of ethics in the use of personal data, separate from compliance with laws and regulations, is known as data ethics. It has arisen from the prevalence of Big Data and the speed with which we adopt innovative technology, such as the internet of things. This has sparked debates on the principles of ownership, transparency, consent and privacy, which in turn have stimulated discussion about the ethical transactional use of personal information.

What Is Data Ethics?
Generally speaking, society expects individuals to act morally, and that expectation has been extended to companies and other organizations. Companies, industries and business practices that are perceived as not living up to our standards lose credibility and trust among recipients of their products and services, and may even attract the intervention of government agencies and legislators.
     While it’s hard to argue against regulations targeting unethical business practices like money laundering and insider trading, the line between legal and illegal, when it comes to data protection and privacy, is more nuanced and that's taking center stage. The Federal Trade Commission (FTC), which enforces laws against unfair and deceptive business practices, advocates for the ethical use of data, and it can also bring action against privacy noncompliance.
     It has taken time and a series of high-profile data breaches and deceptive practice cases for individuals to understand the extent to which their personal information is collected and used, and to form strong opinions about those practices. At the same time, companies have learned (and some, like Facebook, have learned the hard way) that when it comes to data protection and privacy, it’s in their best interest to empathize with their customers.
     But this shift in sentiment is not purely altruistic. Being seen as proactive and/or going beyond what the law requires can form the basis of a powerful marketing message and a compelling competitive differentiator. Companies are figuring out that, in the same way that including “organic” on a food label can drive sales, consumers are drawn to tech that respects their privacy. Apple, for one, has made privacy the cornerstone of recent ad and marketing campaigns, and touts the fact that it collects less personal data than peers like Facebook and Google. And while the self-regulation ship sailed with Mark Zuckerberg’s Washington Post op-ed in March, where he publicly advocated for the government stepping in to regulate the internet in support of public safety, embracing data ethics may help companies stave off more restrictive regulation, or at least earn them a bigger say in making the rules.
     The din over data ethics among the public, legislators and academics has given rise to a relatively new C-level title: the chief ethics officer, also known as chief trust officer or chief ethics and compliance officer. While some practices, such as medicine and law, have ethics in their structural DNA, newer pursuits—like tech services—are revenue-driven. Even without foundational ethical guidance, we have been seeing frameworks develop for strategic and principled use of technology in recent years.

So, You Want to Be a Chief Ethics Officer?
Where does a newly minted chief ethics officer begin? Though the discipline of data ethics goes above and beyond compliance with laws, the first step is to ensure adherence to all relevant privacy regulations. While industry privacy regulations such as HIPAA in the health care sector are well established, stakeholders on every side of the GDPR and the upcoming CCPA are still working out the details and nuances. Nevertheless, for those that fall under their jurisdiction, these regulations are non-negotiable, so they’ll serve as the foundation upon which your data ethics framework is based.
     As my colleague Gregory Garrett explained in a recent interview with this publication, too often when he talks to chief compliance officers or general counsel or outside legal advisers, their focus is on addressing the specific circumstances surrounding the latest data breach or complying with regulations. This aligns with BDO’s recent survey that found that data breaches are corporate counsel’s biggest concern when it comes to legal risks associated with data.
     While a robust information governance strategy can help your clients ensure regulatory compliance and mitigate cybersecurity risks, for the reasons we’ve outlined above, data protection and privacy initiatives need to go beyond what a company is required to do. Organizations should also adopt a mindset of thoughtfully balancing the business need for consumers’ data to support operations and the “how would I feel” approach of providing them with reasonable expectations as to how their data will be used, processed and shared.
     The first step in implementing a data ethics program is to develop a Data Ethics Framework. This is a tool that will guide a company through the most appropriate collection and use of data before a new project begins, a new process is introduced or a new technology is released.

The Data Ethics Framework should include the following four elements:

1. Clearly define the project and its benefits.
Before collecting data or using it, be clear about what you’re trying to achieve, what issues you’re trying to solve, and for whom you are trying to solve it. Match the values of this project to the individuals benefiting from this solution. The questions the stakeholders answer should demonstrate the potential risks or negative consequences in not proceeding with the project.

2. Develop a transparent program that holds the company accountable for the use of data.
As the GDPR and the CCPA both outline, companies should be transparent about the use of personal data, and should take measures to protect it. These principles provide a clear transition to instituting a Data Ethics Framework by providing consumers with the knowledge of the data that is being collected about them and how it will be used, and by allowing consumers to request data removal. It is also important to be transparent about the use of repurposed data, and ensure that the company is able to provide clear interpretations about how the approach was designed.

3. Use data proportionate to the project.
The company should use the minimum amount of relevant data necessary to achieve specific results. Before you start a project, determine the types of data (personal and nonpersonal) you need, the source of the data and how you will receive it. The stakeholders should also assess whether the data collected is appropriate for the project.

4. Understand the limitations of the data.
It is imperative that a company and its project stakeholders understand the source of data being used for the project. Having a strong grasp of the metadata could prove valuable to understanding what processes are in place to maintain the integrity of the information, and lead to greater flexibility in considering whether—and when—caveats will be necessary to future policies or procedures.

     While corporate counsel are primarily concerned with following the rules, it behooves them to understand the nature and value of their company’s data ethics philosophy. This is crucial in helping shape their strategy for preventing data issues and dealing with them when they occur. As we’ve seen, data breaches and deceptive trade practices can quickly become headline news, so a coordinated approach grounded in data ethics is essential.
     In addition to minimizing data misuse and ensuring that everyone in the company is on the same page, a data ethics program reduces the risks to individuals’ privacy, and decreases the human and institutional biases in data sets. When a company is transparent and collects only the data the project requires, consumers will have a better understanding of how their data will be used. The opportunities presented by data are valuable, but companies must learn to leverage that information and technology responsibly and transparently. Investing in a data ethics program will help your clients avoid fines and bad publicity as well as allow their businesses to thrive without being at odds with their customers.

Karen Schuler, Principal and Data & Information Governance National Leader at BDO, has a background in managing businesses that provide governance, risk management and compliance services. Over the last 25 years she has managed organizations that provide global investigations, litigation support, privacy, data breach notification and information technology services.