Using data ethically: It's not as black and white as it seems
Data is hugely valuable. Even seeing that written down – it looks like a gross understatement.
If we want to take this article from The Economist as a milestone, data surpassed oil as the world’s most valuable resource back in 2017. And since then, its stock has gone up exponentially.
Data is the perfect renewable resource. In the digital age, our very existence creates ripples in the dataverse that, when bundled up with hundreds and thousands of other people’s data, result in a tidal wave of commercial opportunities for businesses.
Even the biggest technophobes will have some sort of digital footprint that can be used to discern anything from their spending habits to their political opinions.
There are over 2,500,000,000,000,000,000 bytes (or 2.5 quintillions) of data created each day. By 2025, we will collectively generate 463 exabytes of data. So not only has data surpassed oil in value, but it’s increasing in volume whilst oil reserves are running out.
Another area where it diverges from other resources or commodities like oil is that the abundance of data doesn’t limit or diminish its value. That’s why data-related activities are seeing huge growth.?
The measurable value of our data
The data brokerage market, for example, was valued at $268.73 billion in 2022. Between now and 2029 it’s expected to grow by 4.5%, which would take it to $365.7 billion.
But it’s not just the buying and selling of data that generates revenue, it’s the analysis of data to inform business decisions. Which customers are likely to buy what products and when? Which competitors are likely to succeed or run into trouble? How will markets and whole economies create commercial advantages – or threats?
Regardless of your industry, this kind of thorough data analysis brings enormous advantages. But in trying to gain these advantages, many businesses have found themselves on the wrong side of the law around data protection, privacy and ethics.
Since the GDPR took effect in May 2018, for example, we've seen over 1,400 fines issued across the European Economic Area (EEA) and the U.K.
Now you might think most of these fines resulted from businesses deliberately breaking the rules to get ahead. It’s well within the realms of possibility to suspect they weighed up the risk-benefit ratio and decided the juice was worth the squeeze.?
But the fact is, many of these breaches were “honest” in as much as they weren’t the result of a conscious decision by businesses to play fast and loose with other people’s data – and the rules.
In this article, I’m going to discuss a couple of the most flagrant abuses of data and ethics as a jump-off point. I’ll then show how, even with the most honest and ethical intentions, it is possible to collect or use people’s data in an unethical way. And that will show the requirement for robust frameworks and procedures to prevent errors of judgement – which I will outline at the bottom.
Uses of personal data that are clearly unethical and unlawful
As I wrote above, over 1,400 fines have been issued to companies since the introduction of GDPR in 2018. Most of the biggest ones are clear cases of deliberate abuse.
Amazon
Most notably, Amazon was slapped with a $877 million fine in 2021 – by far the biggest in the short history of GDPR. Why? Primarily for how it collects and shares personal data via cookies.
This wasn’t the first time the company had been fined for the same offence. But Amazon could’ve easily avoided it by simply obtaining a “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices.?
Whilst it is tempting to force users to “agree” to cookies or make opting out difficult to collect as much data as possible, it’s worth knowing that regulators have shown a serious appetite for enforcing the EU’s cookie rules in recent years. This fine is evidence of that.
Facebook/Cambridge Analytica
Then there’s the most infamous of all the breaches, Cambridge Analytica, which in 2014 acquired the private Facebook data of as many as 87 million users . It then used that data to sell psychological profiles of voters to political campaigns.
The way it harvested this data was pretty simple: it attached an app to a psychological questionnaire. And when users completed the questionnaire, they were asked to grant access to their Facebook profiles. Once they did, the app then harvested their data and that of their friends.
You might think: well they granted access to their profiles, so what’s the problem?? But, that part isn’t the issue. It’s the granting of access to friends’ profiles that’s the problem – and where Facebook was found to be culpable.
At the time, friends’ consent wasn’t required on the platform. But of course, under the data protection rules of all the affected jurisdictions, a third party doesn’t have the right to grant permission to access someone else’s data.?
The result? Thirty-six billion dollars was wiped off Facebook’s market value, and Mark Zuckerberg was left trying to answer some pretty uncomfortable questions.
These are, of course, clear-cut cases where an infringement was easy to identify. The perpetrators knew what they were doing. Cambridge’s own lawyer flagged concerns that the company might be violating American election law.
But as I mentioned at the top, sometimes cases are not as black and white.?
How it’s possible to breach data protection rules inadvertently
Recently, I read of a case in the Harvard Business Review of a recruitment firm that nearly fell foul of data protection rules.
The firm, which incidentally has a commitment to promoting diversity and inclusion in the workforce, was receiving reports of discrimination based on demographic data from its users. So it moved to reassure those users – candidates, in this case – that the platform wasn’t responsible.?
The company knew the algorithms that match vacancies with candidates are skills-based. Demographic data is not considered in the process. So logically, any discrimination must be occurring at the hiring companies.
To prove this, the firm approached a business school to conduct some research. The school opted to replicate a study from a few years previous that created several standard CVs but varied the race and gender of the applicants.
Thousands of applications would then be generated and sent out to companies in the area. The results would then be tracked and analysed. However, since the school required an ethics review, the proposal had to be run by its Institutional Review Board, who rejected it.
The board said the school had proposed to collect the data by subterfuge. It would be lying to corporate users of the platform, asking them to work for the school’s client without prior knowledge that they were doing so.?
Not only that, but there would be no benefit to them, i.e., via compensation, and in fact they risked reputational damage if the study found them to be discriminatory.
As a result of the review, the study never saw the light of day. But if it had, it would’ve breached legislation on the same grounds that Cambridge Analytica did: Data sought by a business must be specified contractually and must be necessary for the service it provides.
This case study just goes to show that, even when the reasons for collecting data are transparent, the methods used to gather it can still be unethical.
What are some steps businesses can take to avoid unethical use of data??
We’ve seen then that you don’t have to be trying to manipulate voters or sell web users’ data to find yourself on the wrong side of the law. But the good news is that these ethical grey areas can easily be avoided through the implementation of some if not all of the following steps.
Now I’m approaching this from the perspective of recruitment, since that is what our product is for. But these steps should be ubiquitous.
1. Establish data governance policies
Create clear and comprehensive data governance policies that outline how data should be collected, stored, processed, and shared within the organisation.
This gets everyone on the same page in terms of what’s required and makes the whole team aware of why it’s in place.
2. Data minimisation
Collect only the data that is necessary for the intended purpose and avoid excessive data collection. For example, at PitchMe we collect candidate data from a range of sources, including social media platforms. However, we only collect and process data that’s relevant to our clients' needs, i.e., professional information.?
领英推荐
3. Transparency and consent
Be transparent with users about what data is being collected, why it's being collected, and how it will be used. Obtain clear and informed consent from individuals before collecting their data.
Essentially, the lack of this step is why all three of our case studies represented unethical and unlawful practices. Amazon failed to obtain clear and informed consent. CA, Facebook and the anonymous business school weren’t transparent about what data was being collected, why it was being collected, and its intended use.?
4. Data security
Implement robust data security measures to protect data from unauthorised access, breaches, and cyberattacks. Encryption and regular security audits are crucial.
Bullhorn , for example, implements an advanced security method based on dynamic data and encoded session identifications and hosts the service in a secure server environment that uses a firewall and other advanced technology to protect against interference or access from outside intruders.
5. Anonymisation and pseudonymisation
Anonymise or pseudonymise data whenever possible to reduce the risk of identifying individuals from the data.
Techniques for anonymisation range from aggregating and approximating data to making variables slightly different and pseudonymising data so that a random, nonrepeating value replaces the identifying variable.?
It must be said, though, that this step has its limitations. As this Imperial College London study shows, anonymising personal data is on its own not enough to protect privacy.
6. Data retention policies
Develop clear data retention and disposal policies to ensure data is not kept longer than necessary.
Whilst there aren’t any set time limits in data protection law, “longer than necessary” essentially means don’t keep data that’s of no use to you anymore. Data retention always carries with it a level of risk that’s only worth taking if the data itself has value to your company.?
7. Third-party data usage
Vet third-party vendors and partners to ensure they adhere to ethical data practices when handling your data.
Failure to do this is why Meta $725 million to settle the CA case.
8. Ethical use framework
Develop an ethical use framework that guides your organisation in making ethical decisions related to data usage.
In effect, this forms the first test of whether or not a strategy for using data is ethical or not. This can inform decisions in less complex cases. And any cases that divide opinion or cause uncertainty can be run by an IRB or ethics committee (more on that below).
9. Employee training and awareness
Educate employees about data ethics and privacy best practices. Make them aware of the consequences of unethical data use. Feel free to use the cases I outlined above.
It's also crucial to instill a cautious approach when it comes to working across jurisdictions. Data protection rules can vary greatly depending on the continent, country, or individual state.
10. Whistleblower policies
Create mechanisms for employees to report unethical data practices without fear of retaliation.
Humans are fallible. The pressure to achieve and get results can lead to unethical decisions – there are plenty of case studies to support that.
So that’s why it’s crucial to foster a culture whereby employees feel supported in reporting unethical data practices. It’s not about blame, it’s simply about getting it right.
11. Regular audits and assessments
Conduct regular audits and assessments of data practices to identify and rectify any potential ethical issues.
This is a critical step in ensuring compliance with GDPR, where, in the case of a breach, you must notify the breach without undue delay and no later than 72 hours after having become aware of it.
Notably, in the Cambridge Analytica case, Facebook employees were aware of concerns about improper data-gathering practices months before it was first reported. So if GDPR had existed in 2018, this would’ve represented a clear breach of the rules.
12. Customer data rights
Respect customer rights, such as the right to access, correct, or delete their data upon request.
This point can be turned to your advantage. By enabling self-service for candidates and clients to update their own data and to optimally use automation to update fields and provide alerts when key information is missing, you can give customers the right to access their data, and you can ensure that it’s up to date and correct.?
The structural changes we can make to avoid it in the future, regardless of changes in technology and legislation
Data privacy compliance, ethics committee, and continuous improvement
Ensuring compliance with the relevant data privacy regulations starts with a thorough awareness and understanding of the rules.
As I mentioned above, regulations can change a lot depending on where you're operating.
We have GDPR that covers the entire EEA, but the US doesn’t have a singular law that covers the privacy of all types of data. Instead, it has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.
That’s a lot of regulation to keep on top of if you’re recruiting on both sides of the pond. So, broadly speaking, the responsibility to ensure compliance should fall on everyone.?
That said, regulations are never a fixed point. That’s because they have to keep pace with new ways of collecting, processing and using data. And so it seems sensible to assign specific roles and responsibilities within your organisation.
I’d say this approach is certainly preferable and more manageable than leaving oversight for the whole company in the hands of an individual compliance manager.
An ethics committee or advisory board can provide guidance on ethical data use. It can also review procedures to ensure existing and future data handling doesn’t contravene ethical boundaries. A working example of this is the business school, which would’ve been guilty of a breach had the IRB not stepped in.
As that story shows, even with the best of intentions, you can wind up on the wrong side of legislation. So if an ethics committee prevents that, it’s a safety net worth investing in.
And, as with anything of this nature, it’s good practice to continuously review and improve data ethics procedures based on feedback, advances in technology, ever-changing regulations, and emerging ethical standards.
Summary
Data is valuable. But it’s important that in pursuit of the riches it offers, we don’t forget our duty to the individuals it belongs to. Adhering to ethical and regulatory standards is crucial, not only in avoiding punitive action but in maintaining trust with users.
It’s important to remember that it’s not only those with nefarious intentions that fall foul of the regulations around data use. You can be transparent and well-intentioned and still wind up with a hefty fine. That’s why it’s crucial to create a comprehensive and robust company-wide framework for how you collect, process, store and use data.?
As more of our commercial and social activities switch to digital platforms, we’re only going to create more of this ceaseless commodity. So getting the foundations in place now for how you manage it in an ethical way will enable you to capitalise on it whilst keeping you on the right side of the rules.
Partner Alliance Marketing Operations at Data Dynamics
10 个月The practical steps you provide for businesses, advocating transparent data practices and the establishment of ethical frameworks, serve as a valuable guide in our data-driven era. Here is an article that might interest you - https://www.dhirubhai.net/feed/update/urn:li:activity:7112789135068737536