A Data Protection Risk Assessment Is About Ethics —- Join IAF Webinar
Webinar September 6, 2017
We have never read a privacy or data protection law that requires controllers be ethical. Yet implicitly new laws are driving expectations that organizations using data robustly do so in an ethical fashion. What does that mean?
The European Union’s General Data Protection Regulation is a risk based law. It requires organisations to first understand whether a processing will create substantial risks for data subjects. If so the organization must conduct a data protection impact assessment. Once identified, risks must be mitigated. If risks cannot be mitigated the processing must be approved by the regulator. Other regions are creating the initial steps to follow in the same direction.
How one even defines the nature of risk is an exercise in ethics. Our sense of what is a risk is based on shared societal values. Data protection risks have been traditionally seen as harms, but do harms include lost opportunity? Many data protection laws begin with preambles that say the purpose is to assure the fruits of a digital economy through the free flow of data. That means assessments need to be about much more than lost autonomy. How one measures those risks comes from any number of classical ethical frames. The determination of the risk level to be tolerated rests on ethics as well. To say the least, all of this is new for companies.
So how does one even approach ethics? From a consequential perspective — highly subjective, or from a non-consequential frame? Or is there a common set of values that is agnostic to the ethical approach? The IAF is now parsing methodologies for ethically governing risks related to artificial intelligence and machine learning. It is our view that if we can solve for this riddle, we can back the analysis into more controlled processing. August 11 a few of us will be brainstorming these issues. This will in turn lead to a paper that will be released in time for the International Conference of Data Protection and Privacy Commissioners in Hong Kong, where a plenary session will be dedicated to this topic.
As an interim step, the IAF is hosting a webinar September 6 at 12:00 Noon Eastern Daylight Time. If you would like to join this webinar, part of the IAF policy series, please email Julianne Seaman at firstname.lastname@example.org.