GDPR and Ethics: What to do for compliance?

GDPR: Ethics and Data Protection

Our digital society is changing rapidly, and emerging new technologies present unique challenges to global data privacy and protection. These rapid technological transformations trigger further ethical questions regarding data protection and compliance with General Data Protection Regulation (GDPR). As the technological landscape is accelerating at an unprecedented speed, how can businesses maintain compliance with the GDPR? A great organizational culture is crucial for business success. Therefore, it is necessary to develop an efficient data protection strategy based on the particular scenario to secure data privacy, availability, and integrity. This article provides a brief overview of the ethical aspects of GDPR and some technical and organizational measures to demonstrate compliance with GDPR's requirements.

The accelerating pace of the development and adoption of new technologies affects every area of economy, society, and culture. At the same time, rapid technological changes pose new challenges for policymaking. As a result, it can outpace the capacity of governments and society to adapt to the transformative shifts that emerging technologies bring about, as they can affect labor markets, perpetuate inequalities, and raise ethical questions. (UNCTAD, 2010) As Moor (1985) predicted in his influential article "What is computer ethics?", human activities and social institutions would be transformed in the upcoming Computer Revolution, leaving policy and conceptual vacuums about regulating computer technology. Such procedures and conceptual vacuums are fundamental problems within computer ethics (Moor, 1985).

On April 6, 2016, the Council of the European Union published the General Data Protection Regulation (GDPR), which came into full effect in May 2018 after a two-year transition period. The GDPR is extensive, far-reaching, and light on specifics, making its compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs) (GDPR-EU, n.d.). The whole point of the GDPR is to protect data belonging to EU citizens and residents. The regulation applies to organizations that handle such data, whether they are EU-based organizations or not, as long as they target or collect data related to people in the EU (this is known as the “extra-territorial effect”).

The GDPR placed more responsibility on organizations, increased individuals' rights and gave them more control over how their data were collected, used, and protected. It also binds organizations to new strict rules about using and securing the personal data they collect from people. The GDPR has had a global impact, becoming a source of international best practices regarding data privacy and ethics as core values. Thus, it provides a guide to organizations that aim to protect personal data even when the law does not directly apply.

The GDPR affirms data protection's fundamental right and should be applied in a legitimate, effective, and consistent manner. However, ethical judgments require ethical standards, and the GDPR does not sufficiently specify ethical standards (it does incorporate ethical principles, but their prominence, explicitness, and clarity are intermittent and fragmentary across the various Recitals and Articles). At the core of GDPR are seven key principles relating to the processing of personal data (Article 5): lawfulness, fairness and transparency; purpose limitation; data minimization; data accuracy; storage limitation; integrity and confidentiality (security); and accountability. The dual objective of EU data protection (fundamental rights protection and free movement of data) can lead to tension between conflicting ethical principles. Nevertheless, ethical judgments are increasingly becoming an integral part of the application of the GDPR (Hijmans, 2018).

What to do for GDPR compliance?

As the technological landscape is accelerating at an unprecedented speed, how can a business maintain compliance with the GDPR? Each organization has its particular business strategies, and therefore developing an efficient data protection strategy must be a continuous effort as new technologies emerge. Specifically, businesses and organizations must look at data and processes from an ethical standpoint. Companies and organizations mustn't focus so much on the regulation and potential fines. Instead, companies should focus on their people and clients, delivering a values-led approach that will provide the best opportunity to build and sustain trust. It is crucial to communicate the importance of the ethical usage of personal data, the attitude towards it, the respect and the value it has (IBE, 2018).

Ideally, businesses should continuously analyze how they collect, process, disclose, store, and delete data. Here is a summary of key steps to comply with the GDPR:

a. Mandatory training 

Mandatory training is vital for companies that need to make staff aware of the GDPR. The security of customers' data must be a priority to every organization.

b. Code of Conduct

Codes of Conduct are accountability tools with internal rules that help companies demonstrate GDPR compliance, and also serve as transparency guidelines regarding the level of data protection. GDPR Article 40 encourages the creation of codes of conduct that must contribute to proper compliance. Essentially, the GDPR promotes codes of conduct as a convenient way to demonstrate compliance.

c. Data Mapping

An essential step towards compliance with GDPR is understanding how data moves in your organization. Documenting how information flows in the company by making an inventory helps demonstrate compliance. Mapping the data flow will also help identify areas that could cause GDPR compliance issues.

d. Privacy Policy

GDPR Privacy Policy is the policy that communicates the legal basis for processing the data, the length of retention and the customers’ right to complain when they are unhappy with the implementation. Furthermore, providing the information in clear, concise language is crucial.

e. Report data breaches

It is necessary to have the proper procedures to detect, report, and investigate internal and external data breaches. Typically, businesses and organizations must report data breaches to the Supervisory Authority within 72 hours unless the personal data was anonymized or encrypted.

f. Separation of duties (SoD)

Separation of duties (SoD) is a risk management strategy used by a business to prevent fraud and other security compromises by dividing tasks and associated privileges for business processes among multiple users. SoD is a core internal control that can sometimes be costly.

As responsibilities are assigned to individuals to mandate checks and balances inside the system, the opportunity for unauthorized access and fraud is minimized. The roles that the GDPR expects to be responsible for ensuring compliance are data controller, data processor, and data protection officer (DPO):

1. Data controller: Data controllers define how personal data is processed, making sure that outside contractors comply. In other words, the controller owns the data and sets the rules how it is to be collected and processed. The controller therefore keeps a record of all processing activities and furthermore designates one or more data processors that can, in the name of the data controller, collect and process the data. (Regulation, G. D. P., 2018)

2. Data processors: According to the GDPR, a data processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” (GDPR Article 4). Under the GDPR they can be held liable for breaches or non-compliance. Therefore, processing partners such as cloud providers, database providers, and payroll providers can be liable for penalties along with the company.

3. Protection officer (DPO): According to Article 38 of the GDPR, which establishes the position of the DPO, “The controller and the processor shall ensure that the data protection officer is involved, properly and on time, in all issues which relate to the protection of personal data.”

g. Get Proactive About Protecting Data

Under GDPR, compliance is an ongoing process that requires continuous effort. A proactive strategy consists of measures to prevent breaches by cyberattacks or accidental exposures. The goal is to anticipate the possibility of a data breach before it happens. As Curry (2021) observed, addressing privacy proactively is much better than being summoned to court for taking the opposite stance. As he highlights, “Organizations must understand that their customers are their most important business asset and having access to their data is not a right, it is a privilege. It is, therefore, up to them to ensure that it is secured comprehensively: and getting privacy right is the surest way to avoid future liability.”

Article 25 of the GDPR creates a general duty for data controllers to implement Privacy by Design and Privacy by Default mechanisms, which reflects that aim. The concepts of Data Protection by Design and Data Protection by Default are interrelated but carry different meanings. Data Protection by Design refers to the design and existence of embedded safeguards and mechanisms that protect the right to data protection throughout the application, service, or product lifecycle. Privacy by Design is essentially data protection through technology design. Data Protection by Default, instead, refers to implementing such safeguards as a default setting (Jasmontaite et al., 2018). Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated with the technology at the moment of creation (Curry, 2021).

Conclusion 

This article offered a brief overview of the ethical aspects of GDPR and presented some of the most relevant technical and organizational measures for businesses to comply with the GDPR. At its core, the GDPR promotes the ethical use of personal data. It requires organizations to ensure that they have the appropriate security measures to protect the personal data and privacy of EU citizens. GDPR's standards on privacy law and human rights have inspired many countries to strengthen their data protection and privacy rules, becoming a model for many other data protection regulations and directives worldwide. Ethical judgments are an integral part of the application of the GDPR, and organizations need to have ethical judgments as part of their accountability. However, when designing and implementing GDPR governance processes, companies and organizations shouldn’t focus so much on the regulation and potential fines. Instead, they should implement data protection regardless of whether the GDPR applies to them in a legal sense and focus on building and sustaining trust while communicating the importance of personal data's ethical usage and value.