Data Ethics…It Isn’t All Panic and No Disco!
Blogs on 7th May 2019
From the FCA to the ICO, the EBA to the European Commission, everyone’s talking about data ethics. As we explained in our workshop on day one of the Innovate Finance Global Summit, data ethics can help you decide between what you can do with data and what you should do with data. This is not just a philosophical exercise. Regulators and customers increasingly expect you to stretch beyond compliance with the letter of the law to demonstrate your commitment to the spirit of the law. With that in mind, here are some top tips for operationalising data ethics:
- Engage principals… Ethical questions around the use of data should not be left to be determined lawyers or compliance teams alone. These issues require engagement across a broad range of internal stakeholders, from those involved in designing and implementing digital services to those responsible for customer and business strategy. Tone from the top, engagement at all levels, and education and awareness will be critical to ensuring that all internal teams understand the importance of ethical approaches to data, and the implications of getting this wrong.
- … to establish principles. Work with your stakeholders to develop data ethics principles. Whilst good ethical behaviours can be incentivised, they are more likely to come from individuals buying into a commonly held set of principles. There is a growing volume of guidance outlining the ethical principles that should underpin data processing activities (including from the CNIL in France, the Personal Data Protection Commission in Singapore and, most recently, the European Commission’s High-Level Expert Group on Artificial Intelligence). You can use these as a base to create data ethics principles that reflect/supplement your organisation’s data use cases, corporate purpose, risk appetite and values. Think carefully about how these principles might be used in practice, and whether it is appropriate to give additional guidance on areas that are higher risk for your organisation.
- Data culture, not data vulture. The concept of ethics in any given society is constantly evolving, as behaviours flit between ‘acceptable’ and ‘unacceptable’ in public and regulatory consciousness. This can make it challenging for organisations to be sure that they are operating in a way that is ethical, and seen to be ethical. Operationalising data ethics means establishing a framework that can, in the long-term, withstand a fluid sociocultural landscape. So refresh your principles, and regularly review the effectiveness of your governance and internal controls to ensure that they are driving the desired behaviours (e.g. responsible data use, rather than reckless data hoarding). It could also include regularly stress-testing your data ethics principles against public sentiment by monitoring current affairs and engaging market researchers.
- Let’s just say it’s a matter of leverage… Data ethics may seem like yet another regulatory expectation for organisations to comply with. But there is ample opportunity for organisations to build on risk management frameworks, impact assessments, internal policies and procedures and governance and accountability models implemented as part of the organisation’s data privacy compliance programme or the organisation’s risk management approach more generally. For example, you may need to decide which data ethics questions to build into template data privacy impact assessments (for use where personal data is involved), and which to include in a stand-alone ethical data impact assessment (for use in all other data-use cases).
The right governance strategy may be to create new bodies or committees (such as a data ethics body), or to redesign the terms of reference for existing fora to ensure that ethical questions are addressed. Whichever approach is taken, make sure the relevant bodies are incorporated into the wider governance structure and have clear responsibilities and escalation protocols. To embed data ethics within your organisation you should avoid ethical decisions being viewed as a separate exercise that is the domain of technical experts, and ensure that it becomes part of the day-to-day management of the business and an issue on which senior management are kept informed.
- Ethics by design. As with privacy, embedding ethical considerations into the DNA of products and services from the outset can save time, money and resources involved in having to re-design a product or service because it fails to comply with the organisation’s data ethics regime. Consider including questions around data ethics in any new product/service approval process.
- You have to understand the risks to implement a remedy. Many people in the organisation will have a role to play in embedding an ethical approach to data use. Specific data ethics considerations may be different for, e.g. data scientists within an organisation, in comparison to the marketing team. You should make it as easy as possible for people to identify what activities are, and are not, considered to be ethical in the context of their roles. Upskilling your stakeholders at all levels of the organisation is critical.
- Knowledge is power. The more you understand about the provenance of the data, why it needs to be used to achieve the business objective, and how it is to be used, the greater your ability to assess whether the data use is ethical. Due diligence is key to achieving this. For example, are you using data to mirror consumer preferences, or to manipulate them? How relevant is the data being collected, relative to the purposes of the processing? And how are the algorithms used to process the data trained, tested and validated?
- No man is an island. Engage with your data supply chain and flow down (or up) your data ethics principles. With the proliferation of data-sharing and secondary use of data, aligning data ethics principles with members of your data ecosystem can help you to meet your achieve your ethics objectives (such as transparency).
- Always keep in mind the data ethics mantra: “Just because you can, doesn’t mean you should“. This is the core principle that should underpin every discussion and decision about data management within an organisation, and is a helpful rebuttal of arguments that ‘creepy’ business propositions are a good idea. This sentiment can help to shift your organisation’s mindset from a compliance/tick-box approach to an approach based on values and principles.
Contacts at Allen & Overy:
Technology and Data
Tel +44 20 3088 2158
Tel +44 20 3088 2061
Financial Services Regulatory
Tel +44 20 3088 3207