Businessman sitting working on computer at night

Four steps to embed data ethics into your data risk control environment

Related topics

As data privacy concerns increase, data ethics should be factored into data use decisions in addition to legal permissibility.


In brief

  • Many regulators and customers want organizations to look beyond minimum standards set forth in data protection rules when making data use decisions.
  • Data ethics guidelines should be defined and reviewed by stakeholders to validate alignment with the organization’s ethical appetite.
  • New technologies and process improvements can be utilized to operationalize and expedite the consideration of data ethics in decisions.

Many organizations have found that data use is essential to business growth, however there is increasing concern in the public about the sensitivity and volume of data used by organizations for innovation and other purposes.  As a result, data ethics is often essential to support innovation, fulfil regulatory demands and winning customer trust.

Data ethics compels organizations to look beyond legal permissibility and commercial strategy in the “can we, should we” decisions about data use. It prompts users to factor into decision-making a wider, often more complex set of considerations that include such things as customer views, social norms and data ethics guidance from regulators.

This complexity is causing many data ethics initiatives to stall. Early movers - who make the link between data ethics and customer trust - will often gain a significant competitive advantage. But the journey from principles to process is not always straight forward. Leading organizations have learned that simply instructing their officers and employees to “do the right thing” is not an effective way to identify newly acceptable data use cases and support innovation across their organization.

Four key steps will help organizations transition away from a principles-based approach and realize the advantages of a fully operational data ethics process.

Download how to operationalize data ethics


Many organizations have realized that their employees need more guidance when it comes to determining whether the organization should be utilizing data in a particular way.


Four steps to move from principles to process in your data ethics program

Step 1: Review existing policies and operating models
 

The first step is to take stock and evaluate how well existing data ethics principles, policies and processes are operating. Organizations should ask:

  • To what extent can we trace existing ethical foundations back to current and emerging regulatory guidelines?
  • How well do our existing controls operate when compared to the prevailing industry best practices and our competitors?
  • What are the gaps in our existing ethics policies and related processes?
     

Answering these questions will usually enable organizations to identify key areas for policy and process improvements. It can also help you to trace data ethics controls back to a set of defined principles and regulatory guidance. From there, organizations should be able to define a target state that promotes lawfulness, accountability and trust.
 

Step 2: Engage internal and external stakeholder groups to refine key principles and policies
 

Using a mix of interviews, customer reviews and surveys, the goal for the second step is to surface the ethical tensions between stakeholders and, in turn, identify areas where their ethical sentiments converge. This should help to determine the organization’s data ethics risk appetite.

It is often not clear how the trade-off between unlocking value from data assets should be balanced against the interests of other stakeholders outside of the organization. Therefore, engaging with internal stakeholders, regulatory bodies and customers is usually essential as you develop, implement and run the framework. You should:

  • Identify which internal stakeholders should be engaged to deliver a diverse and representative balance of voices and opinions that are relevant to organizational goals.
  • Take care that the Data Ethics Board, if the organization has one, contains representatives from the executive board, non-executive directors, technology, legal and compliance.
  • Supplement the Data Ethics Board with representatives from outside the organization, such as customer representatives, academics and external consultants who can embed a balance of views and challenge decisions more freely.

As organizations develop a risk appetite, you should provide platforms where the voice of the customer is clearly considered by engaging with customers through online surveys, in-person interviews and customer labs.
 

Step 3: Design and implement a trade-off framework
 

Once you have positively defined the standards that match the organization’s ethical appetite, designing and implementing an ethics trade-off framework is the leap that will usually take organizations from a principles-based approach to one that embeds data ethics into existing processes, operations and decision-making. It can also enable organizations to transition from paper policies to a technology-led architecture.

An ethics trade-off framework is a system that helps data users evaluate the trade-offs between opposing ethical positions. For example, a trade-off framework could include technology-enabled processes, rules and logic that aid first-line data users to:

 

  • Identify the ethical impacts of a proposed data use-case.
  • Evaluate the ethical risks flowing from the trade-offs that result from those impacts.
  • Evaluate whether these risks fall within the organization’s ethical appetite.
     

The outputs of the framework can then usually be used to anchor decision-making.
 

Step 4: Utilize technology to embed data ethics controls in first-line decision-making
 

Now that the organization has the building blocks of a data ethics architecture in place, the final step is to apply the newly enhanced policies, ethical appetite and trade-off framework to existing day-to-day processes and controls and test them so that they function as intended.

New technologies can help digitize the privacy risk control environment to unlock value from your data assets. You should explore how new technologies embed data ethics controls and test whether the solution can help deliver clear data ethics assessments to first-line data users, support rapid decision-making and guide sustainable business growth.

Lastly, to maintain the organization’s ethical appetite, regularly refresh opinions from stakeholders to update stakeholder sentiment in the trade-off framework. Monitor developing regulatory guidance and update policies as needed. Review the use-cases being tested by front-line staff to validate that the trade-off framework is delivering the expected results, and request feedback from technology users to streamline the approach.

EY member firms do not practice law where not permitted by local law or regulation.

 

Summary

Operationalizing data ethics within your organization can be challenging, but the benefits are many. Defining and embedding data ethics, including trade-off guidelines, into technology-supported processes can help you demonstrate to regulators, guidance bodies and consumers that your organization is acting within the letter and spirit of data protection rules. Doing so can help you garner greater trust from consumers and may help you stay ahead of regulatory developments by identifying early changes in regulatory attitudes. A clear framework also provides your employees with guardrails within which they can explore innovative and ethically acceptable ways to unlock value from data.  

About this article

Related articles