-
Management is essential. Drawing substantive lines between ethical, and unethical, uses of AI is only the first step. The organization must also manage its operations to ensure that it stays within these boundaries. This includes making a particular person and/or committee responsible and accountable for the data ethics management function.
-
New management functions and structures are needed. The data ethics management function goes beyond the privacy one. It addresses bias, manipulation, opacity and other risks that go well beyond privacy violations. And it aims towards a beyond compliance goal rather than compliance with privacy regulations. Given this, data ethics management requires organizations either to expand the privacy role, or to establish new positions and entities capable of managing the data ethics function.
-
Organizational location varies. Organizations made different choices as to where to house the data ethics officer or committee. Some companies chose to locate the data ethics function in their privacy unit since it has traditionally handled externalities associated with use of personal data. Others locate it in the legal unit, or elsewhere in the organization.
-
Data ethics officers and committees play important roles. Some organizations localize the data ethics management function in a data ethics officer—a position that was only just emerging at the time of our research—or expand the privacy officer position to encompass it. Some create an internal, cross-functional data ethics committee. In a company that has both a data ethics officer and an AI ethics committee, the two may share responsibility for establishing policies and procedures and for making data ethics judgment calls, with the committee usually deciding the highest stakes issues.
-
The data ethics function tends to be a strategic, rather than a compliance-oriented, one. Privacy management focuses primarily on compliance with privacy laws. By contrast, data ethics management goes beyond compliance with existing laws in order to build and sustain trust and prepare for future regulation. This is a strategic, rather than a compliance-oriented, function. In some companies, the strategy unit was the one that pushed for data ethics management.
7.1 Organizational Structures
7.1.1 Privacy Office
7.1.2 Legal Department
My area reports up through the law department, which is interesting, because when I originally assumed this role, it was part of compliance . . . It made sense to move under legal, we also wanted to get out of the checkbox kind of compliance thinking. When you think of compliance, you think, "I check the box and I take care of what I need to do." . . . [T]hat's really . . . not the appropriate way we want our folks to think about it. (Interviewee #16)
Percent | |
---|---|
No one in particular | 10.7 |
Privacy officer or similar | 32.1 |
Legal or compliance executive or manager | 32.1 |
Other high-level officer (e.g., Chief Data Officer) | 3.6 |
Data ethics officer or similar | 14.3 |
Other | 7.1 |
7.1.3 The Chief Data Ethics Officer
Percent | |
---|---|
No | 82.8 |
Yes | 17.2 |
Percent | |
---|---|
No | 10.3 |
Yes | 89.7 |
I've just changed the name of the global program and my title has officially changed. My official title is now [title that includes “Data Ethics”] and I've changed the name of the global program to [name that includes “Data Ethics.”] And it is because the way that we've done it at [company] is full accountability of all the data that we process and that we steward. That's a very different thing than ensuring you of just privacy requirements like notice and choice. [The idea that the company] should be comprehensively accountable for the data collection, the data activation, the data transformation, the data distribution, is a very next-generation program. It's always been built on ethics. We've been talking about the program as ethical data use for about five years. Then I, as I say, a few weeks ago, I made the official change. That's our journey. (Interviewee #6)
We actually added data ethics last year, so my title and my department changed. . . . if we are to do what we need to do for our customers . . . [w]e need to get folks to think of what privacy means a little differently, that it isn't simply complying with the law or policies, it is looking at things through an ethical lens. Because much of what we're doing with data is . . . in a space that is not occupied by law. . . . [D]ata ethics is getting a primary spot. That's the name of our department now. (Interviewee #16)
7.1.4 The Data Ethics Committee
Percent | |
---|---|
We do not have a process set up currently | 18.5 |
Informal screening or review–by a person or office (such as a data ethics executive or team) | 22.2 |
Formal screening or review–by a person or office (such as a data ethics executive or team) | 11.1 |
Formal screening or review by an internal committee, advisory board, or specialized body (e.g., ethics committee, IRB, etc.) | 33.3 |
Screening or review of another sort | 11.1 |
I do not know | 3.7 |
7.1.5 Philosophers in the Corporate Ranks
[A]t the heart of that is the question, what is the consequences of that, and even that, why do we have government? What is the purpose of government and what happens if we change the fundamental way the world operates by creating this extra-governmental space and is that good or bad . . . . And so being able to think through those questions and recognize those questions is a big part of what we do. Lawyers . . . our job is to look at the legal implications; engineers’ tunnel vision is: “I want something that works fast and effectively,” and so philosophers are helpful in dragging us out of those mindsets and thinking about, looking at the broader implications. It’s an incredibly valuable insight. And we’re employing philosophers, which has got to be valuable. (Interviewee #10)
7.1.6 From Compliance to Strategy
[The shift from privacy officer to ethics officer] is reflective of a really different way of approaching the subject . . . [R]eframing the whole discussion around customer trust has transformed the way I'm able to talk to the business. Before . . . the goal was to simply to get it by me, to check the compliance function. . . . [Then] I went in and I said, hey, this is about whether our customers trust us. . . . So that was the lens that the business understood. They understood how important it is to keep customer trust. They want more customers. So when I talked to them about the customer experience and customer trust, it completely turned it around. . . . The reality is we're ending up going so much farther and building things that are far superior in terms of the customers’ experience around privacy. Just because I started with how the business wants to design products and services. (Interviewee #20)