The data ethics of GDPR are changing

Data science simply cannot exist without data ethics. Without the assurance of an ethical framework, data science risks being rejected as unworkable or even dangerous.

Data ethics then is both critical, and fragile. This vulnerability means it is imperative to understand how it is changing so that we can prevent any disorientation that may arise as it evolves. This brings us to privacy, one of the key crossovers between data ethics and data science, and one of the most combustible.

Organisations today place more value than ever on their data, especially as many depend on the high-volume collection and monetisation of personal records. Companies collect and profit from the use of data on the understanding that it is not exploited or put at risk. However, there are numerous examples of negligent data breaches, resulting in the creation of more data privacy legislation across the globe.

Of course, the most notable example in Europe is the General Data Protection Regulation (GDPR). One of the most important parts of this are the six specific grounds for a company’s granted use of data, including public interest and legal obligation to consent. GDPR was created to answer society’s increasing data privacy concerns, so these grounds can therefore be considered the sole ‘ethical uses of data’. In many ways the purpose of legislation is to practically structure moral structures.

 Within the legislation, a company is permitted to hold and handle personal data if it supports their own “legitimate interests”. Some may think this is highly objective, and it is – and intentionally so. The clause was deliberately included to ensure the legislation gave businesses enough wriggle room to avoid their regular and reasonable activities being unduly restricted.

Provided a business can prove that its use of the data is sensible and does not violate the data subject’s natural rights to privacy, then it is permissible. This means that “legitimate interest” relies on a perception of ethical conduct.

But the ethical framework against which this judgement will be made is changing.

The hysteria surrounding GDPR’s arrival has already created an inaccurate perception of what constitutes ethical use of personal data. A common and impractical misconception has arisen, claiming that a company’s use of a person’s data depends on their active and deliberate consent. Clearly this is not the case, but if this perception continues unchecked – and it most probably will – then entirely permissible uses of data will be considered unethical, perhaps illegal, and possibly even reported to already overstretched Supervisory Authorities. Not to mention potentially sparking the exact PR crises that well-intentioned brands are seeking to avoid.

Transparency is everything here. If companies are as open as they can be, stating at the earliest possible opportunity how and why they are using personal data, they validate their activities and earn the trust of their customers. Such candidness from organisations requires absolute confidence in their legal and ethical standing, as well as in their processes and technologies. It is a very high bar, and one that few are meeting, which is why many are seeking external support.

These companies that are recognising and addressing their shortfalls should be praised for doing what many are failing to do – ensuring that they not only act legally, but also meet the far more notable standard of acting ethically. A trait that customers value far higher.

By Sophie Chase-Borthwick, Director of Privacy Services and Data Ethics, Calligo