4 Must-Know Gray Areas of Data Privacy and Ownership
Business + Managementdata privacyposted by Shannon Flynn August 18, 2021 Shannon Flynn
Data is the world’s most valuable resource. The digital revolution has provided an ever-growing wealth of information about people that can help optimize businesses, accelerate research and personalize virtually everything. As more organizations look to capitalize on this information, though, questions of data privacy arise.
One of the most significant challenges data scientists face is their work’s legal and ethical gray areas. While many data ownership regulations exist, they’re not always black-and-white about who they cover and what specific actions they require. Data scientists must understand these areas of uncertainty to approach data safely and ethically.
With that in mind, here are four gray areas of data privacy and ownership you should know.
Lack of Comprehensive Data Legislation
Perhaps the most glaring gray area in data privacy is the U.S.’s lack of comprehensive regulation on the subject. As of July 2021, only three states have signed privacy bills into law, and no federal law addresses it for all sectors. Without a formal source of required and banned actions, it’s not always clear what data scientists can and can’t do.
Since these regulations are mainly a state issue now, there can also be conflict between jurisdictions. A data science operation that’s perfectly legal in Virginia may be against the law in California. Until more comprehensive legislation passes, data scientists working with information from multiple states must err on the side of caution.
International Data Regulations
Similarly, unevenness between international data privacy laws can create gray areas for data scientists. For example, the EU’s General Data Protection Regulation (GDPR) can apply to non-EU companies if they collect data from EU citizens. If that’s the case, then you may face discrepancies between the GDPR and local regulations.
Data scientists could easily find themselves under the jurisdiction of both the GDPR and another separate law. If these two or more regulations contradict one another, scientists may have to take different measures with different data sets. Businesses that don’t understand these potential differences may accidentally put themselves in situations where they’re non-compliant with one or more foreign regulations.
Government Contractor Regulations
Even where data laws exist in the U.S., their scope isn’t always clear. The Department of Defense, for example, requires contractors to meet certain privacy criteria to win contracts. While this generally translates to specific requirements from the National Institute of Standards and Technology (NIST), there’s also some room for interpretation.
If a company had a contract before October 2017, they could meet “alternate, but equally effective” measures instead. What constitutes “equally effective” is rather open-ended, leading some companies to find themselves in unanticipated legal trouble.
Another potential gray area that’s seen a lot of attention lately is the Health Insurance Portability and Accountability Act (HIPAA). This regulation, which covers health and medical data, contains several gray areas over what companies and information it covers. Consequently, overlooking this ambiguity can lead some data scientists to unintentionally violate HIPAA.
What to Do About Data Ownership Gray Areas
In light of these many data ownership and privacy gray areas, data scientists should take caution. Since 65% of companies today have a chief data officer, they should ensure that regulatory compliance is part of that position’s responsibilities. Having a final authority in ensuring all data science operations comply with relevant regulations can help navigate gray areas.
Seeking guidance from regulatory bodies before beginning any data science operation can help guide legal, ethical governance. When a discrepancy exists between two or more relevant regulations, opt to comply with the most stringent law. Similarly, maintaining high standards even when no industry best practices exist can help ensure compliance amid unclear jurisdictions.
Data Privacy Can Be Complicated
Data privacy is a fairly new concern, so regulations and industry standards have yet to catch up to it. As time goes on, more consistent and clear standards will emerge. Until then, data scientists must be aware of the gray areas they face, so they can approach them carefully.
About the author: Shannon Flynn is a tech writer and Managing Editor for ReHack.com. She covers topics in biztech, IoT, and entertainment. Visit ReHack.com or follow ReHack on Twitter or to see more of Shannon’s posts.