As COVID-19 continues to spread, the data collected from those who are infected will increase greatly. As the number of infected individuals rises, so does the potential stigma associated with infection. As a result, companies that collect data indicating infection status – even incidentally – must handle that information in an ethical manner that protects the privacy of data subjects. Even when regulations are vague or nonspecific, organizations must assess the necessity of sharing sensitive information, and they must respect the preferences of their data subjects.
Extending explicit choice to consumers even when not required allows them to control their own data in a detailed manner. Organizations increasingly are realizing that this is a business advantage.
Regulatory compliance versus ethical complianceRegulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) suggest that data privacy is an increasingly universal concern. Regulations likely will continue to expand in geographic coverage and in specificity. Some companies, such as Microsoft, have taken a proactive approach and extended the protections afforded by this progressive legislation to those who reside outside the covered jurisdictions.1
These extended protections anticipate the likelihood that similar legislation will be enacted on a wide scale. But a standardized regulatory framework also can serve as a foundation on which a company can build clear privacy policies and standards, keeping the rights of the consumer front and center.
Implementing an ethical data privacy frameworkAn ethical data privacy framework puts the rights of the data subject at the center of all data gathering activities. Organizations should be cognizant of the fact that any data gathered from consumers is essentially a loan, not the property of the organization that gathers it. Consumers must be given proper notice that their information will be used and how, and they must be provided with an opportunity to actively consent to its use. Once the business purpose for which the data has been collected has ended, the data should be deleted or de-identified in a secure fashion.
Many companies elect to use opt-out consent, in which the consumer must take an action to limit the use of personal information. Privacy notices can be inconspicuous, and most consumers ignore them. Using an approach that allows the consumer to opt in is more ethically sound. By proactively alerting the person that they have a choice regarding the collection of personal data, organizations can make sure information is provided willingly.
The process of designing a standardized approach might result in a framework that is “over-compliant” in some parts of the world, and, initially, it will be expensive. However, cost savings are almost immediate. Organizations are relieved of some of the bureaucratic burden of starting from scratch with each new regulation. A “high-road” approach can increase the likelihood that only limited actions are needed when new regulations arise.
In addition, reporting of possible breaches is easier when data liabilities are thoroughly cataloged, so a standardized framework must include data mapping. Such an approach can make it easier to identify data subjects at risk so appropriate remediations can be taken quickly.
Business benefits of ethical data privacyThe ethical treatment of data is both an obligation and a benefit, but it also is a business advantage. Aside from the returns from designing and implementing a framework that might make adaptation to new regulatory requirements a simpler task, ethical data privacy increasingly is becoming a consumer expectation.
Companies not yet exposed to stringent regulatory requirements might resist implementation based on cost. However, the reputational benefits garnered by responsibly caring for data can be used to boost market confidence. A 2020 study conducted by Cisco found that more than 40% of companies that invested in privacy saw a return on investment of at least twice their initial spending.2
Smart companies will see this trend as a foreshadowing of the likely commodification of data when, in the near future, consumers are able to put a market value on their own information. When this happens, the safety and ethical treatment of that data will be a significant factor in consumers’ decisions to sell it or not.
With this in mind, forward-thinking organizations should give data privacy professionals a seat at the table. Considering these issues at the executive level benefits both service providers and consumers.
Disclaimer: As originally published in CPO Magazine, April 27, 2020, https://www.cpomagazine.com/data-privacy/ethical-data-privacy-in-a-time-of-covid-19/
1 Julie Brill, “Microsoft Will Honor California’s New Privacy Rights Throughout the United States,” Microsoft on the Issues, Nov. 11, 2019, https://blogs.microsoft.com/on-the-issues/2019/11/11/microsoft-california-privacy-rights/
2 “From Privacy to Profit: Achieving Positive Returns on Privacy Investments,” Cisco Data Privacy Benchmark Study, January 2020, https://www.cisco.com/c/en_uk/products/security/security-reports/data-privacy-report-2020.html