It is always the right time to do the “right thing.” However, determining an objectively “right” path to follow can be a challenge. Specifically, what does that mean as applied to data privacy and security?
Contemporarily, multinational corporations’ success depends significantly on the world seeing them as good corporate citizens worthy of investment. As human existence shifts more and more into the digital realm, the importance of protecting people’s right to data privacy and security gains greater momentum in the minds of consumers. Being socially conscious is an increasingly important metric for potential investors. The ESG (environmental, social, governance) criteria should evolve to reflect data privacy’s role as a metric of good corporate citizenship.
But what does the “right thing” look like regarding data privacy? Is an objective moral standard for how corporations handle data privacy possible? How much can investors expect of a socially conscious company when it comes to the everyday practicalities of protecting data privacy beyond existing regulations? Is complying with existing regulations sufficient, or are we striving for certain standards beyond current regulations?
Multinational corporations have significant influence in the international political arena. They oversee massive supply chains and buy and sell products worldwide. Through their accumulation of resources, corporations can mould international politics to their interests. Modern investors are seeking to support companies that use their global influence to do what is morally correct. However, the road to global discord is paved with social justice hashtags. Consumers remain vulnerable to overly simplistic views of international relations and binary moral thinking. That, combined with the pressures companies face from socially conscious investors and public opinion, presents risks with global consequences.
For example: In response to the Russia-Ukraine war, major players in the international corporate world have gone beyond the letter of the law regarding compliance with government sanctions. Major retailers, including H&M, Nike, and IKEA, have entirely shut down Russian sales and closed stores. Aerospace manufacturer Boeing cut off support for Russian airlines and closed its offices in Moscow. Airbnb aims to provide housing for 100,000 Ukrainian refugees. Visa, Mastercard, and American Express shut down global services in Russia. These corporations have an estimated combined net worth of $1.34 trillion. However, it is possible to argue that these corporations’ actions sometimes harm the Russian people more than they influence the Russian government, as well as the global economy at large. In attempting to do the “right thing,” are these companies’ choices resulting in the “wrong thing?” How much does stakeholder capitalism influence this, and what can this phenomenon mean for companies managing individuals’ private data?
Ethically, there is no question whether data privacy is a human right. The fundamental importance of protecting data privacy is now well recognised. It takes time for these things to become “right” in the eyes of the global corporate community. ESG criteria are evolving to reflect the belief that individuals’ data privacy is a basic right. However, it is largely up to the corporations in control of that data—and the investors in those companies—to move the needle forward. The question now is whether we can create an objective moral standard for corporations to obtain that will move data privacy forward.
The discourse at the board level is moving to focus on how to manage the risks to a companies’ profit arising from bad data management. This is often not led by a desire to do the right thing by itself, but because doing the right thing in the world of privacy and security yields positive results.
The difficulty is that there is no single version of the truth about what it means to do the right thing when it comes to data and privacy, especially when even the concepts of personal data, personally identifiable information and even privacy are not universal yet.
In practice, a safe starting point is to:
- Have a clear ethical vision and strategy for your company.
- Ensure you have a privacy compliance framework requiring that senior stakeholders decide how data is used, in line with the organization’s ethical vision and strategy.
- Hold those senior stakeholders accountable for the decisions made and how they progress the company’s ethical standpoint in line with its vision and strategy.