Ethical data usage in an era of digital technology and regulation

By Ewa Janiszewska-Kiewra, Jannik Podlesny, and Henning Soller

Digital surveillance and technology have been brought to the forefront of public discussion during the global coronavirus pandemic. Companies and government entities have volumes of customer data at their fingertips, and the amount is only increasing. In this context, debates are ongoing as to whether it is acceptable for governments to track the location of citizens under quarantine or use mobile-phone location data to conduct contact tracing, for example. As access to customer data increases, businesses must have clear, transparent standards on how they will use that data.

Companies of all sizes should have data-protection guidelines in place, but the larger the company, the higher its exposure to data risks. Unfortunately, most organizations do not have clear rules in place on how to treat and protect customer data or how to prevent breaches. Often, this is because businesses assume the majority of data-protection responsibility resides with regulators. In other cases, companies attempted to organize a committee to create data-protection guidelines but were unsuccessful because there was no clear vision of what the program should look like or who should lead the effort outside of IT.

However, having a good policy—and enforcing it—around the ethical use of data is a competitive advantage for businesses. As customers prioritize data privacy, they will pick providers that offer full transparency about their data collection and processing. Data ethics is at the top of the CEO agenda, as negligence may result in severe consequences such as reputational loss or business shutdown. To create an effective policy, companies need a formal program to ensure standards are upheld and evaluated regularly.

The case for a corporate data program

Regulators tend to focus primarily on how collectors and disseminators of data—such as data brokers, governments, and large corporations—oversee the privacy and protection of personal data, versus the nuances of how the data is used. While many legislatures have already introduced data-privacy protection laws, they are not as effective as they could be. The European Union’s General Data Protection Regulation (GDPR), for instance, works well as a breach-notification system but has not been consistent in imposing penalties to deter company behavior that violates customer data privacy.1

A data program should go beyond just regulation in protecting the privacy and use of customer data. It should focus on providing transparency about what data is collected and how, how the information is used, and whether those use cases are appropriate. Further, companies should be able to identify potential data usage that might be deemed illegal (such as voting analysis to influence voters). Currently, there are a few promising examples of such programs in the banking industry, though no companies have emerged as clear leaders.

Building a successful ethical data-use program

To build a robust program for ethical data usage, organizations should take four steps.

Align on company vision and beliefs

Organizations need a shared vision and mission for what their data program will look like, tailored to their industry context. Being clear on the company’s vision, the values it supports, and how a potential data use case aligns with those values is critical and can guide decisions around data usage. For instance, a health company deciding whether to sell pseudonymized data can evaluate the decision against its data ethics.

Having clear values and standards helps companies decide which data ventures are OK and which ones are not.

Determine data ownership and risk mitigation

A good data program defines roles for the ethical use of data and data ownership. Then, if an algorithm needs to be overridden, for instance, or a system’s access to data adjusted, it is clear who should make those changes. The program’s policy should also clarify company responsibility for data collected and processed.

Organizations should also be aware of existing data risks, such as using personal customer contact information. Should something go wrong, such as claims fraud in insurance, for example, the business will need a secure escalation process in place. Prudence and compliance are enablers, not inhibitors, of business value creation.

Evolve culture and talent

Companies can make data privacy part of their competitive advantage by not only including it in their data-ethics program but also ensuring it is a value embedded across the C-suite. Having a culture of transparency and privacy at the leadership level makes it easier to roll out those changes across the rest of the organization. Having a customer-centric approach also means making data-usage decisions based on their potential impact on customer privacy rather than their immediate economic effect.

Training new and existing employees to adhere to the culture of data privacy and risk mitigation is also critical. Indeed, setting expectations up front around data usage is vital to protecting customer data from unethical use. Thus, organizations should put clear identity and access-management standards in place and ensure that only those with privileged access can view customer data and make system changes.

Set up a data-ethics board

Ideally, a data-ethics board would be a cross-functional committee composed of representatives across business, compliance and legal, operations, audit, IT, and the C-suite that serves as a reference entity for complex and contentious data use cases, such as customer segmentation. IT representation is critical because of the department’s data responsibilities and technical knowledge. Indeed, this department is responsible for several areas of data management and protection. However, it is still the job of business departments and data owners to ensure that their functions comply with adopted policies and continuously monitor new use cases that might need a data-risk evaluation. Product owners can discuss data-opportunity ideas with peers and mentors or leadership and, if in doubt, get approval from the board. Critically, the board must not only define data standards and ensure they align with the company’s values, but it should also have oversight over whether these standards are observed throughout the organization.

How can companies ensure long-term success?

Debates about data ethics can shape industry standards and influence individual choices, such as whether or not a specific data-processing use case should be undertaken. Even the most thorough program around the ethical usage of data, however, will not achieve long-term success if it leaves data management solely to IT. Creating a formal data policy and a data-ethics board to support it helps companies embed these changes in their DNA. C-suite support is also critical. Viewing data ethics as an enterprise-level risk, rather than a functional one, is key to sustaining a data program in the long term.

1Josephine Wolff, “How is the GDPR doing?” Slate, March 20, 2019,

Ewa Janiszewska-Kiewra is a manager of data engineering in McKinsey’s Wroclaw office, Jannik Podlesny is a specialist in the Berlin office, and Henning Soller is a partner in the Frankfurt office.