Following the latest advancements in the digital economy, technology and science, it has become clear that personal data is the new oil. Regulation (EU) 2016/679 (GDPR) is the response to technological challenges. It aims to empower data subjects and ensure uniformity among Member States. This ambitious piece of legislation has been also accompanied by a radical embracement of ethics, opening a debate about the added-value of ethics-driven compliance with data protection law.
Is ethics the new oil?
Data ethics has dynamically emerged as a trending topic in academia, the public sector and industry. Among the most recent developments in data ethics, it is worth noting that the European Data Protection Supervisor has adopted a proactive position, encouraging data controllers to design, implement and monitor their data processing activities in an ethics-responsive manner. In essence, this suggests that data controllers should engage with the public and develop policies about transparency and accountability in data processing, taking into account the impact of information-based applications on the rights of data subjects.
Similarly, the UK has taken the lead on progressively triggering the debate on data ethics and clarifying what data ethics practically includes. Indeed, two recent initiatives in the UK aim at shedding light on the practical implications of applying ethics under the GDPR. First, the UK Centre for Data Ethics and Innovation – which is currently being established – purports to build trust in data processing activities with the further ambition to construct a fair data protection ecosystem and forge a thriving data economy and market. Second, the UK government has also invited stakeholders from the digital-market and healthcare industries to actively participate in the drafting of the Code of conduct for data-driven health and care technology, whose draft was released in September 2018.
Therefore, it is safe to argue that the application of data ethics is gradually gaining recognition as a safeguard and an asset for institutions and companies. It enables innovation, as part of the companies’ corporate social responsibility, and, most importantly, it facilitates compliance with the GDPR.
GDPR and ethics
Data ethics plays an important role in GDPR compliance and should not be seen either as a vague and unenforceable requirement or as a burden. The GDPR is designed to address ethical concerns about data processing and requires such activities to be ethically reviewed. The GDPR makes an explicit reference to ethics in Recitals 33 and 73 and invites data controllers to adhere to self-regulation mechanisms, such as codes of practice and certification mechanisms (see Articles 40-43). Moreover, the guidance issued by the European Union Agency for Fundamental Rights suggests that the data-protection principle of fairness has an open-ended meaning and requires stakeholders to take into account the ethical factors and conditions of data processing.
Therefore, it is difficult to draw a clear distinction between ethics and law in the current data protection landscape, as the GDPR tends to blur the lines. Complying with the GDPR involves carrying out data protection operations that meet both the GDPR legal and ethical requirements. To this end, ethical assessments should be integrated into the data protection compliance programmes, which should be carried out by experts from various relevant backgrounds and with a holistic understanding of data protection law.
Integrating ethics in data protection compliance operations
Therefore, ethics is inherent to the GDPR and permeates any data processing activity falling within its remit. A few practical steps should be born in mind when conducting ethical assessments of data processing activities:
- Compliance should not be seen as a checklist-ticking task
Mere compliance with each of the GPDR and other data protection laws’ provisions is not sufficient for future-proof and technology-responsive privacy policies. Instead, data protection services should be tailored to identify present and future shortcomings in the technological design and application so that data controllers and processors take all the necessary steps to mitigate potential risks for breaching the GDPR. On top of this, ethics accentuates the role of public trust, engagement, transparency and accountability so that data processing meets both the legal requirements and privacy expectations of the public. Data protection experts with specialist training can provide a safe pair of hands for such endeavours.
- Conduct a risk-benefit analysis
Ensuring proportionality in data processing is a fundamental tenet in data protection law. Not only data processing should be based on an appropriate lawful ground under the GDPR, but it should also be proportionate. This means that the anticipated advantages should outweigh the potential risks for data subjects. Moreover, proportionality requires that any data processing activity is carried out in the least intrusive manner for subjects. These assessments require a consideration and evaluation of societal and ethical parameters.
- Conduct risk-management assessments
A risk-based approach is endemic to the GDPR, because every data processing activity inherently carries risks for the rights and freedoms of data subjects. Technology may raise concerns about the efficiency and applicability of data protection law. This means that compliance with the GDPR requirements and standards is a continuous obligation and that there is no such thing as static and pre-fixed compliance. With regard to the use of Artificial Intelligence, ethical assessments are necessary to ensure the safe application of AI-based technologies, whose consequences are not always predictable.
- Understand the benefits, challenges and limitations of technology
Whereas technology radically transforms society and the available services and products, regulators are often a step behind technologies. Therefore, given the regulatory challenges that new technologies raise, organisations should have the necessary resources to bring insights from industry, academia and the public sector and combine the knowledge and resources across sectors to design both the best data protection and research practices. Indeed, it is necessary that organisations analyse and anticipate gaps in privacy policies and specify the policy and regulatory action to be taken to proactively comply with the GDPR. In this regard, organisations should review the current state of the art and anticipate necessary compliance requirements on an ongoing basis, taking into account the legal, societal and ethical parameters of technology. This will enable organisations to design ethics-grounded data protection operations and align their privacy policies with the GDPR.
Visit our Data Governance and contact our DPO team for more information.