bird eating breadcrumbs

Beyond Compliance: The Ethics Behind the New Data Protection Rules

5 minute read
Laurence Lock Lee avatar

As Europe looks to introduce its new General Data Protection Regulations (GDPR) in 2018, the arguments for and against more regulation continue to build.

Whether you are a customer or vendor though, the GDPR promise to unify — and therefore simplify — the compliance requirements for data protection is a positive.

Are Regulations and Compliance Enough?

Of course, GDPR only applies to companies doing business within Europe, but it is a step in the right direction for the whole world. The current status quo leaves organizations to cobble together their own requirements, which for vendors and customers alike, are creating huge barriers to business innovation.

However, the trade-off between innovation from more sophisticated data analytics and the risk of litigation for non-compliance, remains ever-present. We all want the benefits that can accrue through appropriately targeted analytics, but at what cost?

The bigger question, though, is whether regulations and compliance can be enough to create the desired behaviors.

Looking Through the Ethics Lens

At a recent conference on data privacy in Sydney, Australia, ethics expert and executive director of the Ethics Centre Simon Longstaff, noted, “When technical mastery is divorced from ethical intent, you get tyranny.”

Longstaff encouraged companies to apply their own ‘ethics lens’ when developing new applications that might put personal privacy at risk.

Legal Compliance

At that same event, Data Governance Australia chairman Graeme Samuel suggested that legal compliance alone will not be sustainable in the long term, and that it will not only stifle innovation, but fail to deliver the best outcomes for consumers.

The unifying tenet of these arguments is that regulations will never keep up with the pace of technological development, so we need to look at other ways to govern the inappropriate use of personal data.

Perhaps that approach can be found in the market itself?

Just Saying No to Privacy Concerns

A recent Australian national privacy survey indicated that around 60 percent of respondents choose not to deal with organizations that create privacy concerns for them. And these privacy concerns aren’t just related to unlawful activities.

For example, inside the enterprise, the idea of tracking ‘digital footprints’ is not new. Yet, although email archives are typically the legal property of the enterprise, most organizations will avoid applications that make their employees feel that their privacy is being compromised.

Building Consumer Trust

Tech companies are also aware that their need to build trust with their customers goes way beyond their legal obligations. Google’s ‘Don’t be Evil’ code of conduct was an early acknowledgement of the potential power the company has over people’s lives.

On a smaller scale, when my company called itself SWOOP Analytics, one of our founders quickly identified the danger of that name being turned into ‘SNOOP Analytics’ instead.

Learning Opportunities

Looking Beyond Compliance

As the GDPR rolls out, many services are becoming available to help both vendors and clients comply with the new rules. But as I have highlighted, compliance is not the end game.

In fact, it would be naïve to think that the opportunity won’t still exist for behavior that technically complies with GDPR regulations but is still unethical. Therefore, GDPR advice needs to go beyond compliance to address more fundamental aspects of what constitutes ethical behavior.

Scary Data Protection Risks

Nor is the line between ethical and non-ethical behavior black and white. In a recent discussion with a friend who sits on the boards of several publicly traded companies, she noted that they were continuously receiving presentations from IT security groups.

She reflected that the presenters did a great job of identifying data protection risks that could “scare the living daylights out of you.”

The 5 Tenets of Risk Management 101 

The dilemma, then, is getting the balance right. Beyond the given of legal compliance, it comes down to risk management 101:

1. Identify the risks

For the consumers, enterprises and vendors alike, what are the worst things that could happen if personal data were to be lost? For example, someone finding out your gender might lead to some unwanted advertising. Losing access to financial information would, however, be potentially far more damaging.

2. Determine your vulnerability to the identified risks

Inside the enterprise, individuals will be required to provide personal details to their employers. For example, employers will need your banking details to pay you. Understanding the potential vulnerabilities in your employer’s systems, as well as those of your bank, is very important.

3. Assess the likelihood that these risks could materialize

Using the previous example, even if someone were to acquire your banking details, what is the likelihood that they would be able to do any material damage? Over time, consumers have become more relaxed about providing personal details on platforms like Facebook and LinkedIn as they start to assess their own cost/benefit trade-offs for doing so.

4. Identify what actions you can take to mediate identified risks

Social platforms now provide you with many options to manage your personal exposure. Interestingly, fewer than 50 percent of us ever bother to use them.

5. Prioritize and implement your risk mitigation actions

Whether you are an individual, vendor or enterprise, the best way to create the right balance for you between risk and reward will be to carefully prioritize your risk reduction strategies and tactics.

About the author

Laurence Lock Lee

Laurence Lock Lee is the co-founder and chief scientist at Swoop Analytics, a firm specializing in online social networking analytics. He previously held senior positions in research, management and technology consulting at BHP Billiton, Computer Sciences Corporation and Optimice.