Bringing the ethical data conversations from academia to the enterprise

Why do you do what you do? It’s a fun question to ask among friends at a party. As important as it is for individuals to reflect upon why they behave as they do, it’s also critical for the enterprise, particularly in an interconnected world that is deeply entrenched in collecting data.

Everything is a commodity. That’s why so many corporations have suffered seeing their names in headlines. Criminals reap financial gain by stealing sensitive data. This is nothing new, so maybe what enterprises need to be thinking about is not whether their data will be compromised but whether they need to collect all of the data that they are acquiring.  

The less you have, the less you have to protect.  

An important question, then, is not only what data do we need, but why do we need it?  Taking that line of inquiry even one step further, one could ask, what then is the ethical responsibility to protect that data?

Robin Wilton, technical outreach for identity and privacy at the Internet Society, spoke about ISOC’s tutorials for end users on managing identity and digital footprints and about the ongoing work they do with the ethical data handling by corporations.

Wilton said for most companies when they think about securing data, it is from a risk and compliance perspective. “Enterprises are usually asking, ‘Does it generate risk for us? Are we mitigating that risk properly? Are we in compliance?'” Wilton said. “When there is a data breach, it calls into question their ability as custodians in data,” he continued.

But what if securing data were about more than risk and compliance? “You can argue that if a company is really focused on governance, risk, and compliance that they have drafted checklists for operational staff to say when you get personal data, this is what you need to do,” Wilton said. A checklist certainly starts out as an attempt at best practice. 

The problem is that in the daily grind of any company’s procedures, “You have a periodic audit and someone goes down a checklist. One item is that you are supposed to seek consent,” Wilton said. So, the mundane process of working through the checklist begins. Are you doing this? Are you doing that? Yes or no. 

“You work your way down the checklist and then you are done so that it becomes a fixation on checklist not why you are doing that in the first place,” said Wilton.

The items on the checklist are there because complying with them indicates that you have the end user’s best interests at heart. “You want to be seen as an ethical organization,” said Wilton. “The audit process is not an end in itself, which is why you might want to work toward ethical outcomes as opposed to compliance ones.”

These conversations abound in the academic world, but when students leave the classroom and enter into the professional realm, they get caught up in learning how to do their jobs.

There is a case for an ethical approach to handling data, even if it sounds too idealistic. It establishes trust, sound principles, and good business practices. Wilton said, “I would love to think that new professionals can inject new ideas, but if I think back to myself being in that position, I can only imagine the answer I would have gotten, which is ‘we are not a charity’.  

Sometimes, though, the way things have always been done isn’t necessarily the best way. For most organizations, there are few economical needs to demand ethical behavior, so we have to be pragmatic, said Wilton.

“The question we ask is ‘How can we work within the existing structure to get better outcomes for the end user?’, and the answer is fairness,” said Wilton. Establishing data controls that give end users choice about what they need to share and what can be done with it is good practice.  

Rather than running down a checklist for an audit, ask ethical questions, like the ones professors ask in class discussions in order to work toward collaborative security. Is the way you ask the user questions transparent? Is it explicit? “Don’t just think about ethics, use ethics to guide your business behaviors so that users can make a more informed decision,” Wilton said.