This article was written co-operatively by RoundTable Technology's Kim Snyder and LA Tech4Good's Rachel Whaley.
Yes, there are a few looming, scary reasons why nonprofit professionals are rethinking their relationship with their own data. The first is compliance. In recent years, individual states -- California, New York, Colorado -- have enacted privacy regulations. The majority of states have recently considered enacting some level of privacy legislation, and many are actively in the process of drafting legislation. In our increasingly boundary-less world, many organizations collect data from EU residents. That means that GDPR applies. Even if privacy regulations aren’t on the radar, they are sure to be knocking on just about every organization’s door soon.
The second scary reason is cybercrime. We hear about it in the news, and we also feel it in our gut: data breaches are a very real threat for organizations of any size. Breaches and ransom attacks are not just a big business problem. Nonprofits collect and process high value data, particularly donor data, and cybercriminals have their eyes on this, especially in today’s very polarized world. Added to this are recent global tensions with Russia’s invasion of Ukraine, which places US-based organizations on high alert.
Both of these realities are motivating nonprofit leaders to prioritize data management and security like never before. Think of these as the extrinsic motivators for organizations to take control over data. We need to take actions to prevent bad things from happening to us. That doesn’t make these reasons any less real — and building a practice of data management is a very real requirement for addressing them.
But there is another brighter side to this.
The same data management practices that nonprofit professionals are learning and building to address privacy and security share significant elements with data ethics principles and practices. Developing data governance and management practices offers organizations an opportunity to actively build a data ethics culture. Promoting an ethical approach to data means that in addition to complying with relevant regulations, you are also ensuring that your organizational core values are reflected and upheld in your data practices.
Think of data ethics as an intrinsic motivator. We need to take these actions because they will make us better as an organization. We will be more conscious of what we collect, more thoughtful about how we manage this data, and become more trustworthy in the process.
Ethical Building Blocks
Ethics principles touch upon virtually every aspect of establishing organizational best practices in data management and security. Here are a few examples of how aligned these principles and practices are:
Start with Individual Rights
The newly emerging state-based privacy laws incorporate the principles of the European Union’s General Data Protection Regulation (GDPR) as a foundation. GDPR is created around the belief that personal information belongs to the individual, and that individuals have an inherent right to privacy. Respect for an individual's right to privacy as a starting point is very solid ground upon which to build ethical data practices.
Know Your Sources
Capturing the how and why of data collection is a first step in building a data inventory. Once we can verify we have a legitimate reason for collecting a person’s information, we need to document the collection points to ensure that we can protect that information at every point in its journey into and through our organization. Data ethics asks that we know and examine our sources, but for slightly different (but related) reasons. In the foundational work “Datasheets for Datasets”, researchers led by Dr. Timnit Gebru provide a model for documenting data sources and processes to promote greater transparency and accountability throughout the data lifecycle. Documentation like this is a key tactic for promoting ethical data practices, because it enables transparency of crucial information such as, How was this data collected? When and why was it collected, and by who? How is the data processed and analyzed? And based on all of those answers, what should the data be used for? What should this data not be used for? Answering these questions about your datasets up front will help get everyone on the same page about how to use the data and will help prevent misunderstanding of what the data means.
Align with Your Organizational Values
As you think about what it means to practice data ethics in your daily work at your organization, one good starting point is to assess how closely your data practices align with your organizational values. Building data documentation is a great step in beginning to align your data practices (which could include technical choices, process steps, and team setup) with those values, because the act of creating documentation requires you to look closely at each piece of data with a critical lens. These reflections can help you think through how your values, whether those include respect, inclusion, accountability, or any other core belief, manifest themselves in your data work, and how to make them more tangible in your data management processes.
Protect what we Collect
Security is another crucial aspect of ethical data management. When we collect personal information -- whether it’s our constituents or employees -- we need to be trustworthy guardians of that information. Considering that “accidental” is one of the root causes for data leaks and breaches, we need to establish the systems that minimize the risk of those accidents from happening in the first place. This is why healthy cybersecurity is inseparable from data management practices in today’s world. This is especially true for organizations and programs that handle sensitive data, where accidental exposure can lead to very real risks for individuals.
We believe that the process of building ethical data management practices is one of continuous learning. New regulations will emerge, cyberthreats will advance and ethics requirements will evolve as our programs and organizations change. It is never too soon for organizations at any point in their data maturity evolution to begin building in data ethics practices.
Building your Data Maturity Model is another good next step to take in this journey, luckily we have another article detailing this process.
To learn more about building ethical data management practices, join us for our upcoming webinar, Data Ethics and Privacy for Nonprofits – register here!