A lot of thought and consideration goes into developing a privacy program, and rightfully so. The program not only reflects how an organization abides by privacy laws and deals with privacy issues, but it's a reflection of the organization as a whole.
How an organization presents itself boils down to ethical values and beliefs. And coincidentally, values and beliefs are pillars for how a company shapes its privacy compliance and incident response. The connection between ethics and privacy has long been known but remains relatively unspoken and under-appreciated when it comes to an organization's privacy feats. Akami Technologies General Counsel and Chief Data Protection Officer James Casey, CIPP/E, understands the vital role ethics play.
"Ethics is doing the right thing even when no one is watching," Casey said last month at the IAPP's Privacy. Security. Risk. conference in Las Vegas. "It's the umbrella set of concepts that apply to your compliance, legal and trust efforts."
"How do you want to be seen as a company? What type of values do you want to present? And then you figure out how those values work down into the day-to-day operations."
Casey explained that while privacy regulations tell you what to do, ethics explain why you are complying. A similar line can be drawn when examining a data breach versus an ethics breach.
"Thinking about your ethics being breached means thinking about the issue at hand and measuring up to the values you have in place," said Mailchimp Legal Compliance Manager Mark Surber, CIPP/E, CIPP/US. "If it was a security breach, you're asking about what happened. Did we actually secure our systems to the level they should've been or was it an error in compliance where more could've been done?"
Casey and Surber both indicated that most privacy issues stem from a company sweeping ethics under the rug to some degree. In most cases, that amounts to a breakdown in communication. The two said issues can be avoided by ensuring an organization's data or privacy officer maintains a relationship with the ethics team.
"The privacy landscape is calling data ethics into this realm that we often see as separate and siloed from what we do as ethics and compliance professionals," Surber said. "It's putting us in a position where we have to define a stance on privacy. It also requires a deep dialogue between the two functions to make sure they're talking through areas of overlap and coming to an agreement on a stance across the organization."
Casey also acknowledged the dual responsibility that's taking shape between privacy and ethics teams. However, he alluded to privacy officers stepping up their efforts to grasp ethics rather than having ethics officers try to make sense of data flows and the technicalities that come with them.
"The ethics and compliance officer is going to help any privacy officer define that overarching code that they operate under," Casey said. "The privacy officer is seeing a cultural shift. They're seeing the idea that there's more than just checkbox compliance, and there's an ethics obligation, making ethics a joint role."
It's one thing to harmonize ethics in an organization, but it's another to operationalize it. Deploying an ethics framework has much to do with an organization's approach on and feelings about data. Casey and Surber suggested measures, such as risk analysis, guidance mapping and tasks, record keeping and metrics, among the best ways to keep ethics in check.
"You can fight the perception of something being done wrong by employing your ethical measures," Casey said. "They allow you to say, 'Here was our good faith attempt at fixing this problem, and here's what we based it on.'"
Photo by Cashman Photo