Data review boards are an emerging tool to help companies make responsible decisions about data use, as well as demonstrate their commitment to ethical decision-making to regulators, journalists, markets and consumers. We would like to highlight the key issues for organizations considering DRBs to improve decision-making processes, demonstrate accountability and ensure that innovations align with broader organizational and societal values.

What is a DRB?

The concept of DRBs, sometimes called data ethics boards, derives from life sciences, where institutional review boards serve as a mandatory ethics check before conducting research on human subjects. In the U.S., IRBs emerged when regulators were confronted with misbehavior and deception in human subjects’ research, such as the infamous Tuskegee Study in which 400 African-American research subjects were misled about the subject and purpose of the study and were never given adequate treatment for their disease.

The public outrage from the Tuskegee Study led to the National Research Act of 1974, the release of the Belmont Report in 1978, and a requirement for IRB review and approval prior to conducting human subject research with federal funding. The Belmont Report set out broad ethical principles for human subjects’ research that are currently reflected in U.S. law, including three fundamental principles of respect for persons (autonomy), beneficence and justice. Federal regulations outline specific requirements for the creation of IRBs and provide incentives for their use. Today, IRBs (and their functional equivalent of ethical review boards in Europe and elsewhere) are used to assess almost all research involving human subjects.

IRBs and ERBs have helped tremendously to protect individuals in human subjects’ research, without unnecessarily limiting innovation.

They give institutions and individual researchers both confidence and legal protection when engaging in research; they give individual research subjects and the public substantive protection and confidence that research is being conducted appropriately, ethically and in compliance with applicable law; and, if questions are raised about the research, they provide evidence of the reasoning and care the institution invested in before approving the research.

Yet, they do all this without requiring direct government oversight of individual research studies.

The need for DRBs

Companies working with personal data today face a considerable challenge to use data in bold, imaginative ways, while at the same time complying with data protection laws that are often vague, out of date or require companies not only to comply with specific requirements, but also to assess and respond to risk and to be “fair” and “transparent.” In many countries, this has resulted in reliance on billions of privacy notices that few people read and wasteful litigation over compliance with the terms of those notices. Neither do much to advance privacy, but both can lead to an aversion to risk that stifles innovation. Moreover, no amount of compliance or notices can calm the storm of public criticism that attends legal, but surprising or ill-considered data uses.

DRBs are a key, scalable and affordable tool to help fill this gap — to help think through innovative data uses, avoid missteps and recover more quickly when they occur.

DRBs are a key, scalable and affordable tool to help fill this gap — to help think through innovative data uses, avoid missteps and recover more quickly when they occur. As one European regulator emphasized about the value of DRBs: If an organization could “demonstrate that (it) made thoughtful, reasoned choices,” this would be “very instructive to data protection authorities.” Such a demonstration could help focus the inquiry, narrow the range of disagreement, reduce damages, and eliminate the perception that an organization ignored or acted recklessly toward the consequences of data use.

What does a DRB do?

While there is no “one-size-fits-all” model for DRBs, they could be used in a variety of roles:

1. Providing broad input to the organization concerning new data uses and the measures necessary to protect privacy (and security) in those contexts.
2. Assessing the data protection risks and tools for ameliorating them of new technologies or ventures as part of the procurement or acquisition process.
3. Reviewing (and possibly even approving) specific new products and services that use personal data; reviews could be required for all new products and services, those involving sensitive data or otherwise presenting heightened privacy risks, or those that meet a predetermined threshold in terms of number of people or volume of data involved.
4. Periodically evaluating existing uses of personal data to ensure consistency with the organization’s values and an up to-date approach to data protection.

DRBs must be adequate in number, size, composition and meeting frequency to manage the responsibilities given to them. It is also critical to set up clear triggering conditions for DRB review, such as when there is a new proposed data use, a new type of risk, or at the discretion of the organization’s chief privacy officer or general counsel.

Once in place, the DRB will be tasked with determining whether a particular questioned use of data is appropriate and consistent with company ethics and then documenting the reason for its decision. This formal documentation is a hallmark of an ideal DRB, particularly if an organization is hoping to achieve some form of regulatory benefit. It is critical to document what the DRB was asked by the company, how the DRB responded to the inquiry and what the company did with that information. If a company chooses to go against the DRB recommendation, it should document why it chose that route and what actions were taken to mitigate risk. Not only does this help organizations demonstrate their decision-making to regulators, but it also builds a variety of use cases for the company to refer to when considering future data uses.

What does a DRB look like?

The way an organization structures a DRB will determine its value, and this structure largely depends on an organization’s goals for the DRB. A purely internal DRB can help organizations improve decision-making and harmonize data uses across enterprise silos. However, organizations wishing to achieve maximum benefit from a DRB, including to demonstrate responsible and accountable practices to consumers and regulators, will wish to implement DRBs that meet more robust requirements.

One key requirement is to identify a diverse range of stakeholders to provide a wide array of relevant perspectives. This may include a data protection expert, lawyer, engineer, consumer advocate or academic, but it should also reflect the diversity of the consumers or employees whose data will be used. This diversity of perspectives is a key strength of the review process. Diversity may be different based on the setting, but the key is to have a wider array of perspectives to facilitate a more holistic and inclusive decision-making process, especially if that process is to reduce the need for individual data subject consent.

External DRB members are key to building confidence that the review process was thorough and serious. External validation is a key part of many legal systems and markets (consider, for example, independent auditors and inspectors general), and in privacy in particular, long-established protections have focused on the importance of a decision-maker or evaluator separate from the proponent of the data use (thus the requirements for review by neutral detached magistrates, grand juries or oversight boards).

As U.S. and European laws governing review boards in the context of IRBs and ERBs have long emphasized, some participation by people outside of the organization is critical. To provide the greatest possibility of regulatory acceptance, a DRB should consist primarily or even exclusively of external members. Non-disclosure agreements and other tools can help ensure protection of competitive information, as they already do in many other business settings.

One of the key challenges of DRBs is ensuring that the review process is speedy and scalable.

One of the key challenges of DRBs is ensuring that the review process is speedy and scalable; reviews that routinely take months will be seen as counterproductive to innovation. IRBs may again provide an instructive lesson; research-intensive organizations often have multiple IRBs, often with topical specialties, to handle the workload. Smaller institutions may have only one or may even use a third party’s IRB. Similarly, not all matters referred to an IRB require review by the entire committee. One potential best practice for DRBs could include establishing a group of 12 or 15 DRB members but only requiring review by a subset of those for more routine matters.

Also, not all reviews have to be in person; video and teleconference reviews can be appropriate in certain cases. By having a DRB already established, with members vetted and NDAs in place, reviews can be speedy, affordable and highly beneficial. 

Who needs a DRB?

Whether an organization is looking to foster public trust, encourage ethical innovation or promote regulatory compliance by documenting decision-making processes, DRBs offer a wide range of benefits to any organization wrestling with new uses or applications of data. Taking time to pause for a moment and consider the impact of novel technologies will give companies more confidence moving forward with their innovations. Like a speed bump ensuring drivers to slow down and pass through an area safely, the DRB process may require organizations to move a little slower at first, but this pause enables them to later move faster and with far greater confidence.

While implementing a DRB may seem daunting, companies do not need to get it perfect right away.

Speaking at the IAPP Data Protection Intensive: UK 2019, Simon McDougall, executive director for technology policy and innovation at the U.K. Information Commissioner's Office, explained, "I would encourage organizations to think about a sliding scale rather than just jumping in. Organizations do not need a whole complex of Avengers assembled line of superheroes.” He concluded, “Do something where you start to get the dialogue and the challenge going; start to get your engineers and your change managers and your business leaders understanding the value of having this challenge; and then maybe in the future you can say, ‘This is working well, but it would be even better if we brought in a few from the outside and formalized it.’”

The goal of a DRB is to facilitate better decision-making and responsible innovation, improve organizational accountability and create trust. DRBs will help organizations consider novel data uses in the context of the law, as well as organizational and societal values. DRBs can also be a valuable internal educational opportunity.

DRBs can provide early warning to management and help organizations avoid data uses that shock consumers or fail to include appropriate data protections. DRBs can also be an effective internal tool to give confidence to upper-level management while encouraging smarter innovation throughout an organization. They can demonstrate an organization’s commitment to compliance with data protection laws and to ethical data practices, and they create a record that can be used to respond to regulator inquiries.

At the end of the day, DRBs are a promising tool for improving institutional decision-making and facilitating responsible innovation.

Photo by Haupes Co. on Unsplash