Data Protection as a Corporate Social Responsibility

I’ve been saying it for quite some time, but it is becoming ever-more clear that Data Protection in itself can represent a new form of Corporate Social Responsibility.

No present or forthcoming legal framework (whether it be the EU’s much-discussed General Data Protection Regulation or new competition rules) will ever be able to effectively regulate our data-centric society while also perfectly maximizing the benefits for citizens and effectively minimizing risks that new technologies pose.

Regulators and institutions/LEAs can no longer be the police of the Internet and the time when companies were able to consider data protection and fair competition practices as mere legal compliance obligations is of the past.  In this data-centric world businesses need to consider fair practices, privacy, and data protection as assets that can help companies to responsibly further their economic targets. 

In fact, the effective use of technology can successfully leverage the benefits of big data while at the same time limiting risks to privacy but this can only be done effectively at the company level.  Sound corporate policy can allow for data processing in a responsible and sustainable way, furthering the potential of data to improve human existence.

In light of this, I propose 5 Rules of Socially Responsible Data Protection:

  1. embed data protection and security in the design of processes
  2. be transparent with citizens about the collection of their data
  3. balance profits with the actual benefits for citizens
  4. publish relevant findings based on statistical/anonymized data to improve society
  5. devote a portion of revenues to awareness campaigns for citizens with regards to the data-centric society

For more information, please see my recent presentation from the Risk-Based Approach to Proportionality panel at the closed-door Digital Single Market Ecosystem: Innovation, a Seamless Digital Market, and Stakeholder Rights and Interests – How Do They Work Together?’ conference organised by the European Centre on Privacy and Cybersecurity (ECPC) at Maastricht University and The Information Accountability Foundation (IAF) in Brussels (Belgium) which you can find here

Comments are closed.