This site is in beta. Tell us what you think.
Chapter 8 | Data Ethics Guidebook

Sample 365-Day Plan for Data Ethics

100-Day Plan:

Over the next three months, these are the actions you can take to improve your informed consent practices and minimize potential harm:

  1. Evaluate existing ethics codes that your business has agreed to follow. Consider whether they have sufficient guidance for data ethics. If not, host a design session to draft your own Code of Data Ethics. Coordinate with partners and suppliers to ensure their future ability to honor your new Code.
  2. Build an operations plan for communicating and implementing your Code of Data Ethics by charting the roles that furnish, store, anonymize, access, and transform data on behalf of your customers.
  3. Evaluate any informed consent agreements your organization offers for language that may be unclear and could lead to misunderstandings between your business and your customers. Begin to develop a plan to address these inconsistencies by simplifying language and clarifying intent around data use.
  4. Pilot a Data Fluency training program for data scientists, technical architects, and marketing professionals. Use their feedback to refine a larger program for all employees.
  5. Implement regular reviews of data-gathering techniques. Involve a diverse group of stakeholders and maximize transparency of the proceedings.
  6. Perform a gap analysis of your company’s current cybersecurity strategies that provide threat intelligence and other ways of discovering and automatically mitigating potential data breaches. Enumerate the potential harms that could impact your customers if your company mishandles or discloses data about them. Identify the organizations responsible for safeguarding against these missteps and communicate your findings with them.
  7. Develop a training toolkit to teach your employees who interface with customers how to identify harms that occur through the use of your products. Priority-rank the groups within your company who should receive the training with the group that responds to the greatest variety of situations as the highest priority.
  8. Draft and launch a Data Fluency plan for ensuring a shared understanding of data usage and potential harms throughout your organization, including partners and vendors.

365-Day Plan

Over the next year, build on top of the short-term goals and scale improvements to include your entire company and ecosystem of stakeholders.

  1. Gain support from your company’s leadership team to ratify your Code of Data Ethics and start working with partners and vendors to integrate the principles into new agreements.
  2. Roll out a Data Fluency training program for all employees.
  3. Develop standard text to include in consent agreements that are easily understood and accessible. Consider altering the ways these agreements are shared with customers, how interactive they are, and how customers can revisit these agreements over the lifecycle of their relationship with your products, services, and brand. Instantiate varying degrees of these updates in a handful of agreements. Consent agreements should strive to communicate the scope of how data is collected, manipulated, and used—as well as the value this data has for all of the stakeholders in the data supply chain.
  4. Now that potential harms have been enumerated seek out instances of harm—first from existing feedback loops (e.g., call centers, customer service channels, surveys), and then create new methods for finding harms that fill gaps in existing feedback mechanisms. When unintended harms are discovered, document the incident in the form of a use case and share these findings with product owners and their managers.
  5. Deploy your training toolkit to train groups of employees based on their priority ranking. These employees should understand how to identify, document, and internally report instances of harm. If appropriate, consider disclosing these reports publicly.
  6. Align data use cases by product, interface, and data teams with the customers’ use cases for sharing data in the first place.
  7. Share the customer data-centric threat intelligence evaluation report with your CISO (or equivalent). Ask her to address the gaps your team found between what is currently in place and what a stronger posture might include.