Considering how easy it is to collect data about people's online behaviour it's no surprise many companies end up gathering more data than they really need. Collecting unnecessary data might seem like a harmless thing to do. But it’s important to remember your legal and ethical obligations when collecting and using people's personal data. In this post we look at how gathering data ethically can help your organisation comply with the principles of the GDPR, increase your data security, and build stronger relationships while protecting people's right to privacy.
Contents
What is (big) data
Data can be defined as the bits and pieces of information that exist and are created all around us, as everything we do on the internet generates data. When talking about data ethics, we mostly think of data as big data. Big data refers to large amounts of data that can be analysed by computers to identify patterns and predict behaviours.
Ethical issues posed by Big Data
You, like many others, might consider big data to be a safer and more ethical alternative to personal data, as big data doesn't link back to specific people. But there are cases where big data has been traced back to individuals, such as when Netflix released an anonymous data sheet which ended up exposing their user’s watching history.
When big data is analysed, multiple individual data sets are grouped together, which poses further data privacy and ethical issues. Categorising individuals and treating them as part of a group can make them vulnerable targets, resulting in unjust treatment. This is especially the case for groups that are already being discriminated against. These new AI threats occur within many industries e.g., the banking sector, where machines are programmed to provide information on who should get a loan and at what rate. All in all, companies should think ethically about collecting and using big data as well as personal data.
What is data ethics
Data ethics refers to the responsible and sustainable use of data. It's about doing what’s right for people and society. With data being everywhere, organisations tend to treat data like any other resource and forget that they’re dealing with information about real people. Data ethics remind organisations and their employees of their moral obligations when collecting and using data.
Combining ethics with information security can seem complicated, but it’s also necessary as we need ethics to guide us in making good choices. Cybersecurity ethics can also help organisation establish ground values guiding their security work. Some examples of cybersecurity values are fairness, security, transparency, trust, and perhaps the most discussed value when it comes to cybersecurity ethics - privacy.
Data ethics definition: “Data ethics refers to the responsible and sustainable use of data. It's about doing what’s right for people and society”
5 Data Ethics Principles
The data ethics principles and guidelines are created by thinkdotank DataEthics.eu and are designed to help organisations apply data ethics onto their data processing activities.
Principles of data ethics
1. People at the center of data processing
2. Control over personal data
3. People at the center of data processing
4. Accountability when processing data
5.Data and equality
1. People at the center of data processing
The interest of people should always come first. People should have a higher status than programs and machines and should be the ones benefitting from data processing.
2. Control over personal data
People should have the primary control over their data. Self-determination should be prioritised in all data processes, and you should be treating personal data as something you borrow.
3. Transparent data processing
Data processing must be fully transparent and explainable - you should be able to explain your data gathering activities, and their social, ethical and societal consequences. Can you for example, tell where your data is stored, what third parties have access to the data you gather, and how you use data to influence behaviour?
4. Accountability when processing data
Accountability should be applied to all your data processing activities to ensure protection of personal data. For example, anonymising personal data, managing third-party data sharing, and setting up a practise for handling data ethically. Your organisation’s accountability should also apply to your subcontractors and partners.
5. Data and equality
Sustainable data processing is based on an awareness of the ethical issues of big data and data systems. The harmful effects of user profiling, its impact on self-determination and discrimination against people’s financial, social or health related conditions. Equality in data ethics also means actively reducing bias within algorithms.
How the ethical use of data can benefit your organisation
We know organisations already have a ton of responsibilities when it comes to cybersecurity, the GDPR and the safe handling of data. So, why should you prioritise or even consider adding data ethics to the list? To put it simply, protecting data means protecting people. If you care about your customers, employees, and people in general, you should be taking data ethics seriously.
The benefits of data ethics:
- Increase your data privacy ethics
- Lower the risk of cyberattacks
- Comply with the principles of the GDPR
- Create strong relationships
Increase your data privacy ethics
The General Data Protection Regulation (GDPR) demands every organisation protects their data from being stolen, corrupted or destroyed. For this, you need systems and processes in place that will protect your data. You can increase your data security level in many ways e.g., by training employees or having strong IT-security policies. We'll discuss these and other methods later in the article.
Ethical use of data lowers the risk of cyberattacks
Did you know that every eleven second there is a cyberattack? Since 2009, cyberattacks happen three times more often than before and are expected to become even more common in the future. Organisations that fall victim to an attack, risk both financial impact and harm to their reputation. This makes cyberattacks hard to recover from, especially for small organisation, with 60% of small business victims forced to close.
The good news is that when employees know how to handle data ethically, they lower the target on the organisation and breaches become less likely to happen.
Data ethics helps you comply with the GDPR
The right handling of data is not a voluntary practice and failing to follow the GDPR can result in heavy fines. It’s safe to say that you’ll receive a much greater return when investing in educating employees and other types of security measures, than simply waiting for a data breach to happen.
Data ethics creates strong relationships
Data privacy and ethics aren’t just about not disclosing information. It’s also about who we choose to trust in keeping our information private. When your customers or employees give you information about them, it’s a sign that they trust you’ll keep it safe. That’s why treating people's data as something you borrow will ensure you keep your customers’ trust and meet their expectations on how you handle their data.
Ethical data collection and the GDPR
Let's look at how collecting and using data ethically, aligns with the principles of the GDPR.
Data ethics means being transparent about the data you collect
Transparency is part of the first GDPR principle and is also a principle you should follow to collect personal data ethically. Being transparent about your data collection practices means you clearly communicate what, how, and why you process data, from the cookies your website uses to how you record video meetings.
Use people's data in accordance with their consent
To comply with the second GDPR principle you should never use personal data for purposes other than what you have gathered consent for. This principle aligns well with ethical data collection values of transparency, fairness and trust.
Collect and store only what you need
To comply with data protection principles three and five, organisations shouldn't collect more data than they need, and they must have a secure practice for destroying it after it's no longer needed. Collecting and holding on to unnecessary information is not only a violation of people's privacy but also poses additional security risks, in case of a breach. Storing and destroying unused data also means a waste of company resources.
Data ethics relies on integrity, confidentiality and accountability
The last two GDPR principles cover the most fundamental cybersecurity needs. While confidentiality is about limiting access to personal data, integrity focuses on data privacy and collecting trustworthy and accurate data. Accountability refers to your organisation's responsibility for handling data ethically and in accordance with the GDPR.
Questions to ask yourself to increase your data ethics
- Are we transparent about how and why we collect data?
- Do we really need all the data we currently collect?
- Who has access to our data (including staff)?
- Are we storing data safely?
- Do we have a process for safely deleting data?
How to ensure your organisation handles data ethically
Most cyber security breaches are caused by human mistakes. Yet many companies fail to see that employees are the most vital part of their IT security strategy. Here are some ways to ensure your organisation’s employees become aware of their responsibilities in handling data ethically and avoiding security breaches.
1. Ensure you employees have basic knowledge in cybersecurity and the GDPR
Cybersecurity ethics should involve everyone within your organisation. Conflicting understandings of IT security concepts such as big data, GDPR, and privacy can make it hard for companies to introduce new cybersecurity practices.
Training is a great way to ensure that employees share the same core knowledge and have an up-to-date understanding of relevant topics. When starting with awareness training, you’ll want to begin with courses on key concepts that build a good foundation. Once your employees share the same knowledge base, you can introduce more in-depth topics such as data ethics.
Topics we recommend starting with:
- Introduction to awareness training
- Phishing
- Passwords
- Personal data
2. Set up ethical IT security guidelines
Ethical security guidelines remind employees that there are existing ways for how they ought to act when it comes to cybersecurity. IT security guidelines give your organisation an overall framework for how to act in accordance with organisational goals and can help you communicate your ethical objectives, delegate responsibility, and report progress.
To create effective guidelines, you need to resonate with the employees on why protecting data is important. Data ethics can help you argue for why following cybersecurity guidelines like the GDPR protects not only the organisation but people in general.
3. Make data privacy tangible with design principles
Most organisations struggle to incorporate privacy into practice. This is an issue not to take lightly, as protecting privacy should be one of the main goals of your cybersecurity work. The privacy by design principles are used by many organisations to make privacy more tangible and easier to work with. They ensure a proactive approach, so that employees can include privacy already at the start of new projects and avoid waiting until a problem occurs - as is often the case with privacy.
These are the 7 principles of privacy by design:
- Proactive not Reactive
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality – Positive-Sum, not Zero-Sum
- End-to-End Security – Full Lifecycle Protection
- Visibility and Transparency – Keep it Open
- Respect for User Privacy – Keep it User-Centric
Whether or not you choose to follow these principles, it’s good to remember that your goal when working with privacy should always be to ensure it isn't breached to begin with.
4. Assess and determine your largest data security risks
Not all your employees manage the same amount and type of data, meaning you might have some areas of your organisation that are more at risk than others. Performing a risk assessment helps you identify where your threats are and where you should be allocating your resources. You can then use the privacy by design principles or your IT security guidelines to set up practices that help tackle the most relevant or high-risk problems.
Performing a risk assessment is also a concrete way to show that your organisation is proactive about complying with the GDPR. To help you get started we have created a free risk assessment template. The template is easy to use, but if you want guidance, you can follow this risk assessment step by step guide.
Data ethics can and should be combined with information security
We know that changing the habits and behaviour of employees is difficult, but it becomes a lot easier when they can reason and understand the value of doing something different. I hope that this post has shown that thinking ethically about how you collect and use people's data is important, not only for GDPR compliance, but also for the sake of your employees, customers, and partners’ right to privacy.
If you want to learn more about data ethics or other cybersecurity related topics, you can do so through our awareness training program. If you have any thoughts or comments about the article or anything else cybersecurity related, don’t hesitate to contact us