Data is Risky Business: An Unholy Trinity – Ethics, Risk, and Uncertainty

COL03x - feature image for obrien 300x300We have had a busy few months in Castlebridge, with the last few weeks being an intense period of engagement and activity at the cutting edge of ethics in information management. A key area of focus has been our work to begin formulating the next level of our E2IM Ethical Enterprise Information Management framework that Katherine O’Keefe and I introduced in our book back in May of 2018.

We’ve been lucky in this work to have had the chance to discuss and debate our ideas with The Data Doc himself, Dr Tom Redman, and the ever-insightful Michelle Dennedy from Cisco, the lead author of “The Privacy Engineers Manifesto.” Both wound up in Dublin the same week and we took advantage. It was, as always, fun and intense.

Coming out of those sessions came some thoughts about how the worlds of ethics, quality, governance, and risk in the context of data and information which I’d like to share with you in this month’s column. Our brainstorming with Tom and Michelle was, to an extent, amplified by a week we spend in Brussels at the International Conference is Data Protection and Privacy Commissioners, the theme of which was “Debating Ethics.” Some of these insights have wound up in my recent plenary keynote at the IRMUK EDBIA conference in London this past week (19th-21st November), and some of them I’m sharing with you to explore them a bit and see how they sit. I thank you for your indulgence in this regard.

Uncertainty

I loathe FUD (Fear, Uncertainty, and Doubt). Which means it does discombobulate me to have to define one of the key business drivers for effective ethical practices applied to information as being uncertain. The key difference here is I’m not pushing your FUD button like a malign PT Barnum in order to sell you some panacea software or methodological elixir that’ll cure what ails you (and will inevitably involve Blockchain). Instead, I’m sharing the insight that Katherine and I reached after an intense whiteboard session with The Data Doc. That is, the key reason to approach information management from an ethical perspective and with intentional planned for situational modifiers in your organization to guide and inform the ethical choices your organization makes is that:

The legal and regulatory landscape around data is changing globally at a faster pace than ever before.

As organizations become more information-intensive, and as the potential impact on individuals and society becomes more pronounced and significant, legislators around the world are increasingly looking to, or are being called on to, introduce laws to curb excesses, drive a focus on the impacts and externalities of information processing, and generally try to make it harder for organizations to get away with doing bad things with data. Likewise, court systems around the world are increasingly seeing litigation arising from the use, misuse, or abuse of data. As legislation always lags the potential harm in a thing, we are increasingly seeing a landscape where we often don’t know what legal rules might impact on our processing plans.

But adopting some core fundamental ethical concepts can help simplify the uncertainty because laws, in general, are formulated to protect society from some perceived harm. If you have adopted an internal benchmark for good data conduct, this can be used as a basis for more specific regulatory governance responses when legislation crystallizes in relation to an issue. In various data privacy laws around the world, such as the EU’s GDPR, we see concepts such as “Binding Corporate Rules,” which are in effect a mechanism for adopting common ethical standards for handling data about people based on the legal requirements of a nominated jurisdiction.

  • Uncertainty: What will the laws be we have to comply with?
  • Ethical Response: What is the right thing to do? Is there a jurisdiction with laws already? Can we learn from it?

The computing power and potential at our disposal continues to grow

The pace of innovation and change is such that we now carry in our pockets devices with hundreds of times more the computing power of larger, heavier, devices of just a decade ago. The iPhone isn’t even 10 years old yet.

However, legislation and regulatory frameworks don’t move that fast. It is often joked that the EU’s 1995 Data Protection Directive was out of date a few months after the text was finalized because a researcher at CERN named Tim Berners-Lee had an idea about something that became the World Wide Web. The corollary of that is that, quite often, innovative technology companies and information managers find themselves operating at the outer edges of defined legal structures. Either the thing that they are trying to do is beyond the scope of any extant legal frameworks or it is unclear how the existing laws might apply to the new technology or processing activity because it has not been tested In court.

On this month’s Privacy Sigma Riders podcast from Cisco, Jonathan  Fox, the co-author of Michelle Dennedy’s book The Privacy Engineer’s Manifesto, describes ethics as “a road map that will help us navigate the gray when we feel there’s goodness to be done, but not all the requirements can be met.” This is an incredibly poetic way of explaining the practical and pragmatic role of ethics in information management. It helps us navigate the gray areas created by the gap between computing power and the potential benefits it may bring and the clearly defined and enforced regulatory rules that should exist for that processing.

  • Uncertainty: How can we navigate the gray?
  • Ethical Response: Here’s some guiding principles and methods for figuring it out.

There is no “data model” for compliance and ethical standards

This was a refrain I heard from several speakers and delegates at the IRMUK conference this past week. It’s nonsense. There is never such a thing, or you need to figure it out for yourself (hint: the Zachman Framework is a REALLY good place to start).

The problem is that Information Management professionals like models, structure, and frameworks, so when we are faced with a broad-reaching and amorphous concept like data privacy legislation, we find ourselves uncertain. What data is in scope? What processes? What structures? What relationships between things? How do we ‘tick the box’ to say we’ve done the thing, so we can move on to the next challenge? What do you mean the rules can change overnight because judges in a court somewhere else in the world has decided that the legislation needs to be interpreted in a different way? What do you mean the cultural norms for things in Country X aren’t like the norms I’m used to?

Again, this results in uncertainty. Our craving for “models” for compliance frameworks stems from our desire to shoe horn often complex issues in to simple, packaged models (and ideally one that someone can sell us as a piece of software with a magic button that fixes everything).

Adopting an ethical information management approach allows us to apply an iterative elaboration on our implementation of ethics, which can address the detail when it needs to and lends itself to an ‘agile’ approach to addressing these types of issues. In the book, Katherine and I look at how the Zachman Framework can be applied to this process of iterative elaboration of ethics for information in your organization. Zachman was, and remains, a visionary in my opinion as his framework provides a flexible ontological model to explain the things we need to be managing in organizations from the Executive level down to the instantiation of a process. Recognizing the role of the “Motivation” column in the Framework is a key step to reducing uncertainty.

As an aside – the model should be agile. Your ethics should not be flexible, as this only drives the uncertainty that we are trying to avoid.

Tying this back to Risk

The title of this column is “Data is Risky Business.” It’s important that we tie this back to risk.

The ISO definition of risk is the “effect of uncertainty on objectives.” If we consider for a moment the potential impact on your objectives of the three issues outlined above, any discipline or approach to managing those issues will help to reduce the effect of uncertainty by improving communication in the organization about ethics applied to information.

However, there is another perspective on the impact of uncertainty on your objectives. We are in an increasingly competitive market for talent and resources in the information management profession. And increasingly we are seeing these highly talented people make value-based judgements about where they want to work and how they want their talents and skills used. Likewise, customers are increasingly pushing back against privacy invasive or unethical business models in information-driven businesses. This customer pushback is being echoed by an increasingly high profile investor movement towards ethical and sustainable venture capital funding, particularly for technology startups who live and die on data.

So. Ethics in the Information Management world is a key factor in understanding and managing uncertainty in a number of contexts. Embrace the challenge, and you will be the place people want to work, that people want to buy from, and that investors want to put their money with. Fail to get to grips with the opportunity and you may find yourself addressing uncertainty through expensive refits of your technology stack, regulatory penalties, legal fees, or see your best and brightest staff walking out the door (often in a high profile way).

As W. Edwards Deming said, it’s time to embrace the new philosophy.

Postscript:

Thanks to Tom and Michelle for bouncing ideas around with Katherine and I over the last few weeks. And a special thanks to Katherine for helping me hammer this column into shape.

Share

submit to reddit

About Daragh O Brien

Daragh is the Founder and Managing Director of Castlebridge, a leading Information Governance, Privacy, and Strategy consultancy based in Ireland. He has a degree in Business & Legal Studies from University College Dublin, and is a Fellow of the Irish Computer Society. Prior to founding Castlebridge, Daragh worked for over a decade for a leading Irish telecommunications company in roles as diverse as Call Centre operations, Single View of Customer Programme management, and Regulatory Compliance and Governance. He a regular presenter and trainer at conferences in the UK and worldwide. Apart from his consulting and education work, Daragh is also Data Privacy Officer for DAMA International, a faculty member at the Law Society of Ireland, and a contributing research partner to the Adapt Centre in Trinity College Dublin. He lives in Wexford in the South East of Ireland and can be reached at daragh@castlebridge.ie or on twitter: @daraghobrien. In 2016, he was ranked by Onalytica as the 24th most influential person on Twitter in Information Security (including Data Governance and Data Privacy).

Top
We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept