Ethics in Data Management by Design
Anonymous | July 7, 2022
External data has become an essential component of a company’s data strategy, and data brokers are an integral part of the landscape. However, are the policies and regulations able to catch up with the evolving data brokerage domain and data collection methods? Do companies have the same commitment to safeguarding external data the same way they protect their internal data? And even if they are able to capitalize on some of the ambiguities surrounding data management, should they do so at the price of ethics?
Current state
Companies are increasingly exploiting data offered by data providers or obtained through different data subscriptions and in many cases, it has become an integral part of companies’ data strategy. Enterprises utilize external data not only for marketing purposes, but also for a variety of internal use cases, such as ensuring the safety of the company’s personnel and executives, identifying and mitigating reputational risks, and benchmarking company performance across a variety of dimensions, among others. In addition to utilizing the data acquired via data brokers, many organizations also utilize open/public data.
Contractual responsibilities between the data provider and the consuming companies govern the use of external data to some extent. However, processing external data, merging disparate data sources, and augmenting external data with data received from internal or public sources poses a new set of challenges to the regulations and controls that companies must implement. While there is clear guidance from GDPR, FTC, CalOPPA, and others, several of the above-mentioned domains still lack well-defined policies and remain ambiguous.
In addition to the formal constraint, there is also an opportunity to assess the ethical and behavioral implications of intercompany data management and consumption. Even if there is some ambiguity in data management, the question is whether we should expect businesses to have a higher ethical standard and awareness. In many circumstances, inter-company data privacy groups are primarily concerned with the management of personally identifiable information, with a focus on internal business data. Compliance checks undertaken by these groups are frequently perceived as overhead by delivery teams, and even as an obstacle or significant slowdown in project performance. While many companies have incorporated privacy risk and impact assessments into their operations, as long as these reviews are perceived as an impediment and the performance is measured and driven by time to market, these reviews could potentially generate a false sense of security.
A brighter future?
With the evolution of formal regulations, which will hopefully provide more clear guidance addressing the data brokerage domains and companies’ practices pertaining to external data management and consumption, it would be fantastic to see companies not only improve their internal practices and regulations to comply with the formal regulations but also drive more ethical data practices. Some of these concepts ought to be integrated into the performance measurement of the workforce in order to encourage the installation of ethical data management and subsequent behavioral and cultural shifts. It would be great to see ethics built into the design processes and privacy by design cease being an afterthought and become an integral component of the enterprise data architecture guiding principles.