We recently co-hosted a webinar on data ethics with IAPP.
The subject of data ethics drew a lot of attention and raised interesting questions and discussions.
And one thing is clear:
What is good for customers, lawful and ethical is not always the same thing.
Most businesses rely on the use of personal data. It’s often an important aspect of staying both relevant with customers, and competitive in the market.
However, it’s important to be conscious about not overstepping certain boundaries.
To find the right balance, you need to consult more than the law.
Processing that is lawful might not be in line with customers’ expectations. And processing that your customers would be comfortable with might not be lawful. Even if it’s lawful and ok with your customers, it might not be ethical.
We’ve previously suggested using “the transparency test” for internal decision making.
To evaluate if new or changed data processing activities meets customers’ expectations and is something you should do – simply ask the question:
Would you be comfortable explaining to the data subject exactly how and why data would be processed, including any risks?
Only if the answer is yes, you’re good to go.
Introducing the Easy (“ECE”) Privacy test
The transparency test is helpful, but it doesn’t cover any legal or ethical aspect, so let’s create a more comprehensive one.
The test asks three questions, and only if you pass them all — these three lines of defence — the new data processing evaluated should get a “go” decision.
It’s called the Easy (“ECE”) Privacy test, and involves customer understanding, the law, and our gut feeling. ECE is short for Expectations, Compliance, Ethics.
Understanding and managing your customer’s expectations is everything. So we start with the customer before moving on to other considerations.
1. Would the processing be in line with your customers’ expectations?
Only you can answer this. Your experience and expertise regarding your business and customers — your brains — has the answer. Expectations vary depending on your customer base.
If you pass the first line of defence, move to the second one.
2. Would the processing be lawful?
You don’t get to decide what is lawful, so there is a need to understand the law. This is where you read and interpret relevant regulations — you need your books.
And perhaps a lawyer or two.
Passed the second line? Great, third question.
3. Would you be comfortable having someone in your family be subject to the processing?
The customer is not always right. The legislator doesn’t always get it right. But you should do your best to do the right thing.
Ethical standards are based on values of the societies we live in. What is ethical differs for different people in different cultures, and they change over time. So what is ethical data processing is not something you will necessarily find in the law, or hear from your customers.
So get personal. After all, ethics and processing of personal is a very personal thing. Use your gut feeling.
Any business claiming to take privacy seriously should consider what is good for their customers, what is lawful and what is right. Do not process data unless you’ve considered all aspects, and enable people to understand it.
Inform and engage through helpful information so people can form an opinion.
Empower people to be in control of their own privacy.
This post is written by Egil Bergenlind – it can be read in its entirety here.