When we talk about the processing of data we usually think about data protection or the GDPR and how it applies to the lawful processing of the data.
Of course, data protection regulation is all about the processing of personal data, data that can identify an individual, and whilst some of the complexities of data mean that it’s not always clear cut as to whether a piece of data is personal or not, if the data links to an individual in anyway (even when it appears to be anonymised) then it’s covered by the data protection rules.
But if we think about the wider connotations of processing digital data as a whole, whether personal or not there’s a lot more to be considered. Whether we talk about the rise of artificial intelligence (the so called fourth industrial revolution), machine learning, processing data for good (such as analysing medical data to help identify possible genetic disorders), algorithms or tech in our homes (e.g. voice recognition like Amazon’s Alexa) data processing is involved in one way or another.
The GDPR is technology neutral. In theory it doesn’t matter whether personal data is being processed by an algorithm or for the delivery of a service by a human using a spreadsheet or CRM, the GDPR applies. But when technology is doing the processing (AI, machine learning, voice recognition, driverless cars, etc.) how is that controlled or managed. Enter the world of data ethics or how to keep the machines (and the humans who control them) in check.
On the face of it, the concept of data ethics is no different from data protection. If you’re going to find that your data is being processed whether anonymous (if such a thing exists) or not, you want it to be:
- fair
- safe
- secure
- transparent
- with a level of accountability
Whilst there is a lot of data being processed in anonymous form, the true value of data is usually in being able to identify actions or behaviours of individuals and determine bespoke outcomes – just look at Cambridge Analytica. Indeed Cambridge Analytica and the ensuing Facebook/CA scandal highlights the need for an ethical approach – did Facebook users know they were being targeted based on data gleaned from Facebook, was it clear?
For some, the concept of data ethics is about calling to task those organisations that have an unfair balance of power over our data (typically FAANG (Facebook, Apple, Amazon, Netflix, Google)). A look at what the tech giants are doing and whether it’s in everyone’s interest and not their financial gain. However, data ethics covers much more than that, for example:
- How do we make sure that bias is not programmed into data processing algorithms (where the bias may unconsciously or consciously caused by the algorithms coder)?
- When driverless cars become mainstream – who decides, in a scenario of an inevitable accident who the car hits? Should the car decide to save the passenger, the person crossing the road or the driver of another car coming towards it? What if the car’s AI has access to data that allows it make a decision about whom it’s more important to save, or less important to potentially kill?
- Is there enough diversity in the data available?
Whether processing personal data or not, the concern about AI particularly, has got the authorities worried mainly because:
- The big tech giants are typically those doing clever AI stuff with the data – who’s keeping them in check (although Google for example have just announced their AI ethics panel)
- AI algorithms can be difficult to comprehend sometimes, let alone understand
- Who’s making the decisions about how the algorithms work?
So, it’s no surprise that tech and data ethics have become buzzwords of late. And it shouldn’t be any surprise that the ICO (Information Commissioner’s Office) also has AI on its radar. In the ICO’s Technology Strategy for 2018 – 2020, AI is one of their top three priorities. Indeed, this is why in March 2019 the ICO launched their work towards a framework for auditing AI; they’ve published an overview of the framework which aims to look at both governance & accountability and AI specific risk areas, with the risks looking at a lot of the data protection principles and rules:
- Fairness and transparency in profiling
- Accuracy
- Automated decision making models
- Security
- Data minimisation
- Exercise of data subject rights
Whilst the ICO are clearly looking at AI from the point of view of GDPR compliance and making sure that any AI personal data processing gets the full data protection and privacy treatment, they’re not the only organisation working on approaches to data ethics or ethics in technology. The UK government has set up a Centre for Data Ethics and Innovation (CDEI) to anticipate both “the opportunities and the risks posed by data-driven technology“. Their 2019-2020 work programme is set to look at:
- Personalised and targeted messaging via online services
- Algorithm bias
- Identifying the highest priority opportunities and risks
- Respond to existing “live” issues
There’s some clues about what this work will aim to achieve in their 2-year strategy document which essentially talks about identifying issues and how they’re going to deal with them, whilst at the same time identify how AI and technology can actually make the world a better place.
So, next time you consider how you’re processing data or perhaps how others are processing your data – have a think about how it might be being processed, what decisions are being made using that data and most importantly of all, whether you’re happy for your data to be used/processed in that way.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR