A Guide To The Mutating Ethics Of GDPR
Personal data has never been more valuable for business executives. CEOs and business leaders across the globe are pushing their teams to take advantage of the enormous opportunities that data provides, from creating hyper-targeted marketing campaigns to utilising historical data to identify potential credit risks.
Consumers willingly allow the collection and use of their data, on the understanding that it is not overused, exploited or put at risk. There is, therefore, an ethical contract.
Data science, and especially data science that relies on personal data, is fundamentally reliant on data ethics. Without it, the analysis and output cannot be considered trustworthy or safe, which means it is likely to be rejected as inappropriate and progress will be stifled.
And so, if data ethics is so vital, we must make sure we fully understand how it changes over time as it will inevitably impact the directions in which data science can and cannot grow.
Data Ethics in GDPR
One such example of a misperception in data ethics is already manifesting within GDPR.
GDPR was implemented on 25th May 2018 across Europe to control the exact ethical contract referred to above. One of the most important new obligations handed down to companies and their executives was their duty to only process an EU citizen’s personal data if one of six specific grounds were met. These grounds range from processing data in order to perform a contract, to acting in the public interest, and of course, acting with the subject’s consent.
However, one additional ground for processing data was consciously included in order to make the law simultaneously protective and practicable – the right for a company to process personal data in order to pursue their own “legitimate interests.”
This is intentionally ambiguous, intended to ensure the GDPR is not overly-obstructive to sensible business activities. Essentially, if a business can prove the use of data is sensible and does not infringe on the subject’s privacy, then it is permitted as ‘legitimate interest’. Reading between the lines, this means then that ‘legitimate interest’ is a manifestation of what is perceived as ethical.
However, a problem has arisen. A combination of an alarmist media and deliberately misleading marketing is perpetuating a warped myth that lawful use of personal data relies on consent – ignoring the deliberate inclusion of legitimate interest.
This assertion risks directing the ethics of data privacy in a misleading and impractical direction.
This would mean that honourable companies that correctly use permissible use of data through ‘legitimate interest’ are in danger of appearing unethical and even illegal, sparking PR crises for well-intentioned brands and overburdening the appropriate authorities unnecessarily.
The importance of transparency
But there is an antidote – combating the culture of hype with a culture of transparency. If executives work directly with their companies to ensure the declaration of both why and how they collect and use personal data, openly and in detail, they not only validate their activities, but they also earn the trust of their audience – and perhaps educate those who have been misled.
Setting a high bar for transparency is a positive step in the industry, as public knowledge and understanding of data use is key to avoiding the misuse of personal information. Nevertheless, establishing a culture of transparency is easier said than done. Organisations across the world have been gathering personal data for years and many will be able to defensively state a reliance on confusing legal grounds, but not clearly explain to the layperson how those grounds are being used.
This is not a case of CEOs not having the will to do it – it’s because it’s often easier said than done. Businesses of all shapes and sizes now have to comply with the rules set out by the GDPR. However, unfortunately very few businesses actually have the legal expertise, technical understanding and change management experience to make sure that their data usage is both ethical and in line with GDPR. As if that was not enough, we also need to consider whether our businesses actions are compatible with any additional privacy regulations and data management requirements that may apply to each specific industry.
In fact, we know that huge corporations such as Ticketmaster are currently being investigated for data breaches, the results of which could end with the first set of GDPR-related fines before the end of 2018. As CEOs and executives, we must ensure our businesses respond to data requests in line with giving consumers greater power over their data.
This is exactly why many companies now are seeking the reassurance of external support to ensure that every base is covered. More importantly, however, many companies are also seeking advice on how to reassure their audience that despite relying on flexible legal frameworks, they are being transparent. In short, ensuring that they are not only acting legally, but also achieving truly ethical use of data.
Sophie Chase-Borthwick, Director of Privacy Services and Data Ethics
