What are data ethics and are they important?

 Introduction to data ethics

 

Those of us who work in the field of data protection are very familiar with the letter of the law – the various rules and regulations behind data protection as set out in the UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations and all the other applicable laws, but what about those grey areas where the rules don’t really help us much, and when there are tech innovations that are not quite covered by the law?

 

That’s where data ethics come in.

 

Data ethics cover the bits where the law isn’t necessarily enough. Just because you have followed a process doesn’t mean you couldn’t and shouldn’t have made a better decision if the outcome had negative consequences. It also helps us where the law gives us ambiguous phrases, for example, “unacceptable risk” or “reasonable measures”. Data ethics can be used to mark out those boundaries.

 

In addition, data ethics are crucial for protecting an organisation’s reputation, too. In many cases where an organisation suffers a breach, they may not be found to have been in breach of baseline data protection measures by the regulator, but the reputational damage could cost them severely. Data ethics serve to reinforce the law and increase the standards, thereby lowering the chances of such breaches occurring in the first place.

Considering the risks

It’s easy for people to only think about the risks to their organisation. This, in turn, means that the only risks being managed are the organisational risks, and not those faced by data subjects, whether individuals or groups. There is an assumption that if you intend no harm, then you will do no harm, which unfortunately is not reality.

When taking ethics into consideration, we should assume that a harm is imminent at all times – the concept of data hazards – and then think about how this can be mitigated. A lot of data harms are not a result of malice, but rather an unintended consequence. When thinking of a data hazard, it should be seen as a potential source of harm but one that can be reduced or even avoided with measures.

The question that ethical data protection professionals must ask is ‘what countermeasures can be taken to reduce the risk to the data subjects?’ Making that the priority is the key point of a decision with ethical backing.

What are data ethics?

The ideology of data ethics is rooted in what’s right and what’s wrong. Because of this, there is no set foundation or no ‘one size fits all’ approach that can be used. Ethics will look different to different people and will depend on the choices that you are making. It requires you to think about the cost of a decision, and whether the outcome of that decision is justified.

What does ethics look like to you? Is it rooted more in compassion, good faith, value, agency, or a balanced combination of all these things? You will also need to think about “can it be done”, “may it be done”, and “should it be done”. The aim of data ethics is to bring the ‘should’ to the forefront of your thinking when making a decision. Unfortunately, there is no right answer to these questions, and it will be up to you and your organisation to determine exactly what this looks like.

  • Ensure the correct people in your organisation have the right knowledge to identify data hazards and recognise and implement the appropriate mitigating measures.
  • Have governance measures in place to ensure that the appropriate people in your organisation take responsibility for implementing data ethics.
  • Be vigilant for these hazards through the use of tools such as data protection impact assessments.
  • Give people the time and space to think about the decisions they’re making while also allowing for healthy discussion.

Data protection can often be confusing. A practical way to give people the knowledge to make ethical decisions is to provide education that changes the mindset of how people make these decisions. If your organisation can get to a place where thinking about data ethics is at the forefront, it will become second nature and non-burdensome.

Why should data ethics concern you?

So, the important question is: why should you bother? Data ethics may seem like another time-consuming task that will further burden your organisation, but there are very valid reasons for taking an ethical approach. The first and most obvious reason is you’ll reduce the punishment received from the ICO. If you can demonstrate that you did everything in your power to prevent the risk from happening, then the ICO won’t be as harsh on you.

 

The second less obvious reason is people. Individuals are what keep organisations and businesses running, whether it be employees, customers, clients, and everything else outside and in-between. On top of this, people are becoming more aware and vigilant when it comes to keeping their data safe, and if your organisation can demonstrate that you’re a frontrunner in this, it can give you the edge above competitors for any potential employees and clients in the future.

So, what do you do?

Now you know what data ethics are and why they’re important. However, what matters most is understanding your responsibilities, which are to recognise the issues, be cautious when making decisions that have the potential to cause data harms and avoid causing that harm if possible. Think about the impact that your decisions may have in the future, and whether the risk of that harm is worth it, not just from a business perspective but also from a humanitarian one. Consider whether the decision you’re making is the right one and whether it is ethical.

Some useful tools

There are plenty of resources available out there that could give your organisation a helping hand putting this into practice. It can certainly be daunting trying to properly approach data ethics, but with the right tools and knowledge, you’ll be well on your way to becoming experts.

Here are a few to get you started:

 

The UK Government Data Ethics Framework

 

The ODI Data Ethics Canvas

  

The Ethical OS Risk Mitigation Checklist

 

Doteveryone Consequence Scanning Manual

How DPAS can help

 

We at DPAS have a whole training course dedicated to data ethics – why not check out our upcoming courses to read more about it?

 

We also provide a wide range of services in many different areas of data protection. Take a look at our website to see how we can help you out.

 

After all, your data is our business.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation