Ethics & Trust in Tech: Thought Leadership
Posted on
Ethics & Trust in Tech: Thought Leadership

Across the tech sector, there’s widespread consensus that a trust deficit threatens to undermine the current business model of quality, ad-supported content. This mistrust exists between data subjects, data controllers, and data processors (to use GDPR parlance). Users don’t trust that the sites they visit are behaving responsibly with their data. In turn, those sites can’t be sure that the infrastructure which allows them to monetize are doing the same.

A Pain Point / An Opportunity

A recent AdWeek interview with Chetna Bindra, Google Senior Product Manager for User Trust, Privacy, and Transparency, gives fresh insight into how one of the world’s biggest data brokers sees the future of privacy. Bindra’s interview is chock-full of interesting nuggets. To her, data privacy is the most significant pain point. It’s also her biggest opportunity for tech companies in the coming years. She says: “We need to find a way for users to continue to access ad-supported content on the web while also feeling confident their privacy is protected… If transparency is a pain point, it’s also an opportunity.”

The point Bindra makes is a crucial concern for us here at Ethyca as well. We believe that previous lax standards around data privacy were a bug, not a feature of the internet era. Now that legislation like the GDPR and CCPA are coming into effect, companies are compelled to focus on operating at a higher standard of transparency around data management, and ultimately –though it may be a short-term challenge to implement. We believe that’s a win for everybody.

Bindra lays out of a vision of how an online ecosystem should work when she says: “Users need to feel like they’re getting value [in exchange for their data] and advertisers need to be able to reach people interested in what they have to offer.”

From Outdated Process to High Standards

This point is an argument I make to data regulation skeptics frequently. The fact remains – current ad targeting practices, mainly as large corporations and SMEs increasingly rely on programmatic buys, isn’t anywhere near the platonic ideal of “reaching the motivated consumer when they are likely to purchase.” Moreover, one of the main reasons for that is that a non-regulated data ecosystem that allows for the buying and selling of second- and third-party data sets without users’ affirmative consent is never going to yield as precise targeting models as well-curated, owned, responsibly managed consumer data. The old programming adage GIGO – “Garbage In Garbage Out” – springs to mind.

So, Bindra isn’t utopian. When she speaks this way about the future state of online data privacy, she’s talking about the impact on advertising. The world she describes should be a natural consequence of companies moving from outdated processes of data management. A world where companies are running to the highest globally compliant standard. There’s no need for SMEs feeling intimidated by this prospect. It should be clear that in the long run, better data practice will be good for business.

Published from our Privacy Magazine – To read more, visit privacy .dev

Code Driven: How to Build Trust Into Data & Tech Stacks
Posted on

Yesterday evening, our CEO Cillian Kieran, gave a talk at FirstMark’s Code Driven event, located in the AWS Loft in Soho, New York. Alongside him was the CEO of FireHydrant, Robert Ross and the CTO of Better, Erik Bernhardsson.

Cillian gave an overview of what data privacy means. Additionally, Cillian discussed how to paring the requirements of data privacy compliance if you’re in engineering, data, or product teams.

Also, we’ve attached Cillian’s presentation, entitled, “How to Build Trust in Data and Tech Stacks.”

To learn more about Ethyca as well as our unique infrastructure solution to data privacy, contact us today.

Fundamentals of Ethical & Compliant Data Management
Posted on
Fundamentals of Ethical & Compliant Data Management

If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence. Never before have they had such a pressing responsibility to manage that resource carefully. In 2019, data management is very commonly the difference between success and failure. The disastrous consequences of mismanagement can impact the company in question. More importantly, it impacts consumers that put trust in companies to protect their information.

If a business is serious about succeeding, it is imperative to build a dependable data privacy management operation from the ground up. That starts with defining a robust and comprehensive user data policy.

Let us walk through fundamental principles that should be top of mind for any team drafting such a policy. While some of these points may seem like common sense, too often in recent years common sense has been conspicuously absent in approaches to data management. Stick to these points, and avoid the mistakes of others.

Respect for the User is Uppermost

As the final and the arguably most crucial principle of Dr. Ann Cavoukian’s “Privacy By Design,” this is a primary consideration for development teams at all times. Developing a reliable digital product is the sum of countless design micro-decisions, and at every step along the way, this is a question that is in the affirmative. If businesses respect the user first, then other conditions of a sound data policy come naturally. For instance, transparency and privacy as a default setting will logically follow.

Data Captured Must Have a Legal Basis for Collection

Data captured is a crucial consideration for crafting a coherent data policy. In many parts of the world, it is a legal basis for data collection, and the law explicitly requires it. Article 5(1) of the GDPR stipulates personal data must be processed “lawfully, fairly, and in a transparent manner.” Also, it provided six conditions under which the collection of data can be considered lawful.

In Brazil, the LGPD lists ten conditions for the same. For private companies and brands, most often “legal basis” equates directly to “consumer consent.” Any team building data collection and management infrastructure must think proactively about consent as a system feature. Retro-fitting consent onto pre-built systems is a recipe for disaster….and legions of consumer protection lawyers licking their chops.

Think Proactively About Theft – Prevention & Response

There is a temptation for organizations to pay too much attention to their shiny new data collection system. In reality, that is not enough. Orgs need to pay more attention to storage and theft prevention measures. Further down the list of an average marketing manager’s considerations might be the contingency plans for responding to a data breach.

However, technical teams can start prioritizing these concerns in the absence of instruction from non-technical members of the organization. After all, the legal requirements under GDPR are precise. Article 32 (1) mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Furthermore, articles 33 and 34 detail the required responses to data breaches that include notifying both the relevant authoritative body and the subject. If an organization does not have processes in place for these measures to be carried out within 72 hours, then it holds liability regardless of whether or not damage results from the breach.

Never Withhold

It is a non-technical principle that yields considerable technical implications for any data collection and storage system. As a governing principle, it is essential in helping dev teams make the right decisions at every stage of development. There must be a system for updating data policies and sharing with system subjects. There must be transparency at every juncture of the collection process. Additionally, there must be processes in place for handling Subject Access Requests (SARs) in a streamlined, efficient manner. The only instance in which the GDPR permits an organization to withhold personal data from a user request is likely to restrict the rights and freedoms of others (Articles 12-15), but this is a rare occasion and treated as the exception that proves the rule that withholding a user’s data from them is mostly forbidden under the GDPR and other comparable data policies around the world.

Published from our Privacy Magazine – To read more, visit privacy .dev