Putting data ethics into practice

by Margarita Młodziejewska and Henning Soller

What defines the ethical use of data? The answer requires striking a balance between meeting users’ demands for services and convenience and ensuring that their data is used only for the intended and desired purposes. This balance—and its wide-ranging implications for consumers, regulators, and organizations—is the primary concern of data ethics.

Amid the rise of data regulation, such as the General Data Protection Regulation (GDPR) in Europe, most organizations are aware of the growing importance of data ethics. In a world where consumers are increasingly attuned to data protection and privacy, the way that organizations implement data ethics can build (or erode) consumer trust and become a source of competitive advantage. However, many organizations have yet to fully implement data ethics into their operating model and organizational culture. In this post, we discuss best practices that can help organizations translate data ethics from theory to action.

Develop a risk framework

Data ethics must be integrated into governance processes to truly become part of an organization’s DNA. Leaders can start by developing a comprehensive data risk framework that defines the guiding principles, risk inventory, policies and standards, and controls that govern the ethical usage of data (exhibit). Once the framework has been developed, successful implementation can take place only when there is clear communication, robust discussion, and alignment across the organization.

A data risk framework needs to be developed along several areas.

One effective strategy is to form a cross-functional data ethics committee that has a mandate to develop, publish, and uphold the data risk framework. In our experience, this committee is most effective when it is formally integrated into the compliance organization. A team of dedicated data ethics specialists can help identify and bring noncompliant behavior to the attention of the data ethics committee. Moreover, leaders can require the committee to weigh in on relevant data usage cases—for example, by defining when employees should seek the committee’s guidance. Because the risk landscape constantly evolves, the committee should consider regular scenario testing to prepare for emerging risks and evaluate potential dilemmas, such as those related to authentication and authorization, the usage and storage of external data, and the monetization of existing data pools.

A major investment bank successfully applied this approach to its operating and governance model. Its leaders established a set of guiding principles and a risk appetite statement that clearly defined the ethical usage of data. These principles were translated into concrete policies and standards that were directly tied to the bank’s activities—for example, mandating that customers provide consent to use data for any type of marketing, even for situations in which usage is permissible by law. Finally, the bank focused its efforts on the controls, governance, and tools that would bring these policies and standards to life. These included online learning modules, centralized controls on data downloads, and advanced-analytics models that helped to ensure compliance.

Prioritize communication

Clear and effective communication is key to ensuring that data ethics becomes part of a healthy data culture. Employees should understand why and how to use data in a responsible and ethical manner, including applying this knowledge to their day-to-day activities. While virtual training programs and emails often form the basis of such efforts, two-way communication channels such as Q&A sessions are important venues for employees to ask questions and raise potential concerns. Moreover, C-suite leaders can be role models for the implementation of data ethics and emphasize its importance to the organization. A robust communications strategy can help the organization solicit feedback, achieve broad buy-in, and improve compliance and risk awareness.

The same principle applies to communication with customers and clients. When collecting or using customer data, organizations can clearly communicate the additional value proposition to their customers. Transparency creates valuable trust and enables informed consent, even when that consent is not required for regulatory compliance.

Use the right tools

A framework and a cultural shift are not enough to successfully implement data ethics. Organizations often leverage a number of tools to create accountability and increase compliance. These include a data catalog that indicates the volume and types of data available and processed within the organization, data lineage that provides visibility into the flow of data, tools that identify where and how sensitive data are processed, data governance processes that clearly outline ownership and responsibilities for data handling, and comprehensive overviews of data ethics standards (including a code of conduct) for employees and customers to reference as needed.

These instruments serve to provide guidance and guardrails for employees to fulfill their data ethics responsibilities. Implementing the relevant technical tools can ensure adherence to risk standards and the use of relevant data controls.


It is not easy to embed a data ethics framework, culture, and tool kit into an organization. However, these actions will lay the groundwork for broad alignment and sustainable compliance with data ethics regulations, helping organizations build trust and mitigate risk in the years to come.

Margarita Młodziejewska is a consultant in McKinsey’s Zurich office, and Henning Soller is a partner in the Frankfurt office.