This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this fourth article, we’ll provide a look at the role data ethics plays in a culture of privacy. Find the first three articles in the series once said, “Ethics is knowing the difference between what you have the right to do and what is right to do.” While Stewart didn’t have a crystal ball to see how unfettered access to data via the internet would transform our world, the words strike a fresh chord in today’s data-driven society. Just because you can engage in a processing activity doesn’t mean you should.

​Every human being has their own idea of what constitutes an overreach that violates their privacy, which makes “doing the right thing” very difficult. To quote Eli Noam, “[P]rivacy is an issue of control over information flows, with a much greater inherent complexity than a conventional ‘consumers versus business,’ or ‘citizens versus the state’ analysis suggests.” For example, say an online retailer uses personal information it collects to infer that a woman is pregnant and sends her a coupon for a discount on diapers, many people would see this as a benefit to the woman; others may see the inference as a privacy violation. And what if instead of a discount, that retailer raised the price of diapers $2 based on the inference? I think we can all agree, while this may be legal, it’s not cool.

These are the decisions organizations are making about how they use data every day. Data ethics means looking at your available options and making decisions that consider the kind of relationship you want to have with the people whose personal information you hold.

Regulating ethics

In the U.S., organizations regulated by the Federal Trade Commission should be aware of its power to regulate “unfair or deceptive trade practices” as granted under the FTC Act. These powers have been used to set a standard that goes beyond strict black-letter law to broader principles of what can be considered unfair or deceptive. Similarly, principles in the EU General Data Protection Regulation’s Article 5 and Australian Privacy Principles, among others, provide an ethical standard of conduct with some ability to develop an approach that fits your specific circumstances.

The challenge with these standards is they’re difficult to quantify. In many cases, these concepts come down to a feeling — much like Potter said when trying to determine a threshold for obscenity, you know it when you see it. So, while these regulatory efforts provide some guardrails, the challenge of interpreting an amorphous concept like “fairness” into an actionable plan remains.

The benefits of data ethics

The conversation around contact tracing apps amid the COVID-19 pandemic has put a magnifying glass on the complexity of data ethics and is showing us how important it is to clearly define rules around notice, use, disclosure and retention of personal information from an ethical perspective. It’s likely that contact tracing for COVID-19 can provide enormous societal benefits, but many individuals are hesitant to give free rein over their data to the organizations and governments in control of the technology. Data sharing is about trust, and trust is earned.

Here are a few things we know:

  • People stick with organizations that handle their data in line with their expectations and protect it appropriately.
  • People respond negatively to the so-called “creepy factor” we hear about so often at privacy conferences.
  • People want to be offered the tools to control how their data is used and shared (whether or not they use them).
  • Laws are moving toward giving individuals more control over their data.

By incorporating ethical considerations into your decision-making, you can boost and retain consumer trust, use privacy as a differentiator in the marketplace and be better prepared for future privacy regulation by preemptively implementing processes and controls. However, finding the right balance between business needs like short-term revenue and building a relationship of trust with users is essential.

Embedding data ethics in your organization

In theory, data ethics seems like it should be pretty easy: Don’t do creepy stuff with people’s information, and don’t charge the pregnant lady $2 more for diapers. But data ethics don’t exist in a vacuum. An organization’s posture around handling data needs to balance the needs, objectives and obligations of the organization with the expectations and wishes of the individuals whose data they hold.

So, where do you begin?

Understand your ecosystem

We can’t state this enough: The first step in any privacy-related function should be to understand what your current data flows look like. Getting a baseline on your practices will allow you to see what’s important to your business model and find the low-hanging fruit that can give you some early successes. Say you’re collecting information that no one in your organization actually uses — eliminating the collection of that data element is a quick and easy privacy win.

You also need to understand your users. What are their expectations regarding how you handle their data? How do they expect to interact with your product? How much control do they expect to have over their privacy preferences?

Understanding and meeting your users’ expectations will help build the trust necessary for them to want to continue engaging with your product.

Use the FIPPs

The