As companies assess the consequences of new data privacy legislation, they should also review and recalibrate their data ethics guidelines. This includes addressing how to manage financial and accounting metadata, work papers, and electronic reports in core information technology information systems, as well as the storage location of this data, to meet these new legislative requirements. In addition, it means gauging whether the company’s data policies are in line with its overall ethical guidance. Management accounting and finance departments are integral in gathering these facts and answering core ethical questions related to data management and security.
A data-readiness assessment for present-day data privacy compliance should include a review of the organization’s current data governance process, inventory and mapping of data at rest or in transit, data privacy’s impact on new products and services, data usage by third parties, data consent and transparency policies and procedures, and incident response and data breach notifications.
These efforts will often raise ethical concerns. The organization will need to make ethical decisions once data compliance gaps are identified or residual risk exceeds the organization’s level of risk tolerance.
Does the customer really care how data is used? Should I accept the legal risk? Is it too expensive to meet the requirements of data privacy laws? We will never be audited by a foreign regulatory agency, so why change our policies or invest in additional compliance controls? Should we take a risk-based approach in determining what data management processes are most critical?
DATA ETHICS IN PROGRESS
Most organizations are establishing or revamping their data compliance models. Academics, senior management executives, and compliance professionals are developing new, comprehensive data compliance methodologies and data ethics guidelines. Top law schools and legal institutes are addressing data ethics with new thought leadership and recommendations for how to resolve data privacy and protection dilemmas. It’s important for organizations and society as a whole to start viewing data ethics from a more mature modeling perspective than what has been acceptable previously.
Data compliance models and data ethics policies should be developed to incorporate a universal review of new legislation leveraging commonality amongst the worldwide legislation that’s been enacted. Data ethics policies should be universalized at the enterprise level and not compartmentalized.
Data ethics is all about doing the right thing with data. With that in mind, there are four primary questions that management accountants and finance professionals should be asking to better understand data ethics within their organization:
- Is the data usage process in line with customers’ expectations? Is business data being used in a way that customers can trust is proper? Is customer data being tagged, linked, monitored, and sold without customers’ knowledge? Is the usage of that data beyond the needs or requirements of the organization’s business model and services? Is data being used in a trustworthy manner?
- Will the data usage process be lawful? Is your organization following data privacy and protection laws applicable to every business location in which it operates? This should include understanding data usage compliance requirements and identifying any gaps that must be filled to meet those requirements. Are there formal customer usage notices and consent queries, breach notification timelines, and privacy impact assessments in place? It’s important to review all privacy legislation that may impact the organization. Is everything legal?
- Would you be comfortable with a family member being subject to your organization’s data usage process? Is data being used in a way that you can openly discuss with a family member and feel at ease? It isn’t unusual for third-party vendors to have unlimited access to customers’ personal identification information, even when it isn’t required for their services. Sensitive personal data such as birth date, gender, address, Social Security number, and so on may be bundled for ease of transit to reduce programming expenses, but that creates data privacy noncompliance issues if it goes undocumented. Personal data may be at risk. Are you content with family members using your organization’s business services?
- Will you be comfortable with how data is being used within your organization? Are there any conflicts with your personal or professional values or concerns with organizational data usage? Is anything keeping you up at night? In your daily interaction with enterprise, financial, and HR information systems, is there a need to further discuss risks and risk responses based on legislative changes and lessons learned from past or current issues and problems? This isn’t just digital data, but also logical and physical access as well as the location of hard copies and other records. Are there any red flags?
These questions are just the first steps in data ethics awareness and how it may impact your organization and career. They should generate thought and prompt further risk-based action toward data privacy and protection compliance.
DATA ETHICS MOVING FORWARD
Data governance, including data privacy policies, procedures, and tone at the top, and compliance aren’t going away, and they have a strong ethical component.
With changes in data legislation, a routine proactive review or recalibration with data compliance and ethics is necessary to maintain a sound enterprise-wide data risk profile that mitigates potential compliance violations and legal risks.
Management accountants and finance professionals should take on an active role in the data governance process and offer to help the board and compliance professionals in making ethical decisions related to data.
IMA ETHICS HELPLINE
For clarification of how the IMA Statement of Ethical Professional Practice applies to your ethical dilemma, contact the IMA Ethics Helpline.
In the U.S. or Canada, dial (800) 245-1383. In other countries, dial the AT&T USA Direct Access Number from www.usa.att.com/traveler/index.jsp, then the above number.
The IMA Helpline is designed to provide clarification of provisions in the IMA Statement of Ethical Professional Practice, which contains suggestions on how to resolve ethical conflicts. The helpline cannot be considered a hotline to report specific suspected ethical violations.
June 2019