This post is part of a series on approaching data ethics through the lens of risk: exposure, assessment, consequences, and mitigation.
- Part 1 – exploring the core ideas of risk, and how they apply to data ethics
- Part 2 and Part 3 – questions to kick off a data ethics risk assessment related to company-wide matters
- Part 4 – questions to assess individual data project
- Part 5 – risk mitigation and otherwise staying out of trouble
Thanks to data breaches, increasingly creepy ads, and “smart” devices that are listening more than people had expected, there is growing concern around the ethical use of data analysis (which includes big data, data science, machine learning (ML), and artificial intelligence (AI)).
Data ethics amounts to doing the right thing with data collection and analysis, and many people feel that companies aren’t sufficiently honest and honorable in how they collect and use information they consider to be sensitive.
The notion of the “right thing” leaves room for interpretation, yes, but it still carries the message that your plans don’t always work out as expected. That leads us down the road of risk analysis:
A risk is a chance that things will not go according to plan. In the event that a risk becomes a reality – that is, your plans go awry – you suffer some consequences.
While you can’t eliminate all possible risks, you can still take the time to find out what they are (perform a risk assessment), see how they may happen to you (understand your exposure), and figure out how you would handle them if they were to happen (explore risk mitigation).
Mitigating risk does not mean that you completely shut down and say no to every opportunity. It means that you take the time to work through possible scenarios so you can reduce their impact. (The alternative is to not do any such homework, in which case you get caught off-guard when things go awry.)
Sometimes your mitigation strategy is to avoid the problem by changing your plans. Other times, you determine that your expected payoff outweighs the consequences. You mitigate that risk by sticking to your original plan but figuring out how you would handle the problem. You’re still taking a gamble, but at least now it’s an informed gamble, and you already know how you’d address a mishap.
The risk approach to data ethics, then, is to see your company’s data collection and analysis efforts through the lens of risk: you perform an assessment to idenfity potential risks and consequences, understand your exposure to those risks, and then develop a mitigation strategy.
An assessment may uncover a potential for data breach because of how you store information, or for negative press because you get caught collecting data surreptitiously. Another risk is that the third-party service you’re using to collect registrant data is selling that data to other companies behind your back. Or, even, your upstream data provider was not honest about how they acquired the information, and now you’re in hot water for using data that wasn’t really appropriate for you to see. The consequences in all of those cases will involve some mix of public outrage and legal action.
You’re better off finding these potential problems ahead of time, then, so you can change plans or at least be prepared for the backlash. If these catch you by surprise, the recovery effort will distract from your primary business mission while you engage in PR cleanup or court cases.
The first step in performing that data ethics risk assessment is to ask cold, hard questions about what you’re doing with data collection and analysis. The second, and equally important step, is to have the time and discipline to reach honest answers.
It’s not a matter of asking, “can this bite us?” It’s too easy to dance around such simple yes/no questions, so they rarely lead to meaningful answers.
Instead, ask yourself: “what can bite us, and how?”
And then, ask: “what would we do about that?”
Figure out what complaints others – customers, prospects, strangers, regulators – could bring to your door and determine how you’d handle them.
The following questions can seed a discussion on company-wide matters:
- What data do we collect, and why?
- How do we store and protect our data? Who can access it?
- What’s our data supply chain?
- What do people know about how we handle their data?
- Which department is our greatest source of ethical risk?
- What boundaries have we defined around how data can be used?
In turn, these questions can shed light on the risk of individual data projects:
- What’s the business purpose here?
- Who has seen the idea?
- What are the known/built-in biases?
- How closely does it toe the line of existing or upcoming laws?
- How can this data (or data product) be misused?
- Where do we note problems that we’ve uncovered?
I’ll explore these questions in greater detail over the coming posts.
(This post is based on materials for my workshop, Data Ethics for Leaders: A Risk Approach. Please contact me to deliver this workshop in your company.)