You’ve probably heard the expression “data is the new gold.” Considering the benefits of data surely makes it tempting to collect everything you can get your hands on, but it’s important to remember that there are ethical aspects to using data. In this post you’ll learn about how data ethics can help you with your general cybersecurity work and build trust in your organisation, while ensuring that you are keeping people and their data protected. We’ll also go through some concrete methods for how you can make data ethics part of your employees' daily work practices. If you after reading this post, still want to know more about the ethical use of data or test your newly learned knowledge, you can do so by trying the awareness training course in data ethics. For now, let's start by looking at what data is and why we need to think ethically about how we use it.
Table of contents
What is (big) data
Data can be defined as the bits and pieces of information that exist and are created all around us, as everything we do on the internet generates data. When talking about data ethics, we mostly think of data as big data. Big data refers to large amounts of data that can be analysed by computers to identify patterns and predict behaviours.
When big data is analysed, multiple individual data sets are grouped together, posing a new threat to privacy and data ethics as placing people into groups can make them vulnerable targets. This is happening within many industries e.g., the banking sector, where machines provide information on who should get a loan and at what rate.
You, like many others, might consider big data to be a safer and more ethical alternative to personal data, as big data doesn't link back to specific people. But there are cases were big data has been traced back to indivduals. There are also other ethical issues related to big data that force us to think ethically about big data as well as personal data.
What are data ethics
Data ethics refers to the responsible and sustainable use of data. It's about doing what’s right for other people and society. With data being everywhere, people tend to treat data like any other resource and forget that they’re dealing with information about real people. Data ethics reminds us of the moral obligations when using data. Involving ethics into your IT-security work can seem complicated, but it’s also necessary as we need ethics to guide us in making good choices.
Ethics tells you how you ought to act and helps you distinguish between right and wrong. Although there isn't a universal view on ethics, ethical theories and shared moral believes can help us identify important values. Some examples of these values are fairness, security, transparency, trust, and perhaps the most discussed value when it comes to cybersecurity - privacy.
“Data ethics refers to the responsible and sustainable use of data. It's about doing what’s right for other people and society”
How ethical use of data can benefit your organisation
We know you already have a ton of responsibilities when it comes to cybersecurity, GDPR and the safe handling of data. So, why should you prioritise or even consider adding data ethics to the list? To put it simply, protecting data means protecting people. If you care about your customers, employees, and people in general, you should be taking data ethics seriously.
Here are three more benefits to data ethics:
-
Increase your data security
-
Lower the risk of cyberattacks
-
Create strong relationships
Increase your data security
Data ethics is about keeping data protected. Every organisation should play their part and protect data from being stolen, corrupted or destroyed. For this, you need systems and processes in place that will protect the data. You can increase the data security level in many ways e.g., by training employees or having strong IT-security policies. We'll discuss these and other methods later in the article.
Lower the risk of cyberattacks
Cyberattacks are becoming more and more common and unfortunately, they can take a long time to recover from. If you become the victim of a cyberattack, you risk both financial impact and harm to your reputation. This can lead your stakeholders to lose trust in you and your organisation. Cybercriminals target all organisations, from large corporations to small start-ups. The good news is that when employees know how to handle data ethically, they lower the target on the organisation and breaches become less likely to happen.
The right handling of data is not a voluntary practice and failing to follow the GDPR can result in heavy fines. If you need to refresh your memory on the regulations, read this post on the principles of GDPR
It’s safe to say that you’ll receive a much greater return when investing in educating employees and other types of security work, than simply waiting for a data breach to happen.
Create strong relationships
Privacy isn't just about not disclosing information. It’s also about who we choose to trust in keeping our information private. When a consumer gives you information about them, it’s a sign that they trust you’ll keep it safe. That’s why treating people's data as something you borrow will earn your customers’ trust and meet their expectations on how you handle their data.

Now that you know why you need data ethics, we’ll take you through how to include them in your work.
6 ways to include data ethics in your organisation
It’s time to look at some of the ways you can introduce data ethics into your organisation. If you’re feeling overwhelmed, you can take comfort in that you don't need all 6 methods to be using data ethically. Starting with one or two might be just what your organisation needs.
So, lets dive into it!
We’ll take you through the following 6 methods:
-
Setting up ethical IT-security guidelines
-
Educating employees in data ethics and privacy
-
Collecting data ethically and in accordance with the GDPR
-
Being aware of who you share data with
-
Assessing risks within the organisation
-
Making privacy tangible with design principles

Setting up ethical IT-security guidelines
The goal of IT-security guidelines is to give your organisation an overall framework for how to act in accordance with organisational goals. The IT-security policy can help you communicate objectives, delegate responsibility, and report progress. But most importantly, it reminds people of that there are existing ways for how they ought to act when it comes to cybersecurity.
The guidelines provide employees with expectations and set the tone for your security work. But to create effective guidelines, you need to resonate with the reader and ensure that employees themselves believe that protecting data is important.
Educating employees in data ethics and privacy
Data ethics, like other IT-security practices, should involve everyone within your organisation. Conflicting knowledge or understanding of concepts such as big data, GDPR, and privacy can make it hard for you to introduce new cybersecurity practices. Training is a great method to ensure that employees share the same core knowledge and have an up-to-date understanding of relevant topics.
You probably feel like there’s a lot to learn within cybersecurity. When starting with awareness training, you’ll want to begin with courses on key concepts that build a good foundation. Once your employees share the same knowledge base, you can introduce more in-depth courses.
Courses we recommend starting with:
-
Phishing
-
Passwords
-
Personal data
At CyberPilot we offer GDPR and IT-security related courses to over 65,000 active users. Right now, you can try all our courses for FREE up to 14 days. Find all courses in our awareness training course catalogue.
Collecting data ethically and in accordance with GDPR
Ethical data collection ensures that you don’t use people's data for purposes other than what they have consented to. Being transparent about your data collection practices will ensure that both parties know how and for what purpose you’ll be using the data.
Here are some questions from Think Do Tank Data Ethics to ask yourself when collecting data:
-
Why are we collecting this customer’s data?
-
Who has access to the data (staff, salespersons, sub-contractors)?
-
Do we have a process for handling the data (access, use, deletion)?
-
How is the data stored?
-
Are we living up to our promises of transparency and privacy?
To limit the data you collect, you should set up a practice for minimising data collection, and a practice for secure destruction of data. These two GDPR principles will limit the impact in case of a data breach.
Being aware of who you share data with
Many of your employees are probably not always aware of when they are dealing with data. This can result in employees sharing their data access with other employees, without knowing they shouldn't. By informing employees on how to handle requests for data access, you can help make sure that these types of mistakes don't happen.
If you are in any doubt about who should have access to data within your organisation, read these recommendations on how to not give out personal data unlawfully.
Assessing risks within the organisation
You’ll probably want to introduce data ethics in the areas that are the most at risk. Performing a risk assessment helps you identify where the threats are and where you should be allocating your resources. You can then use the privacy by design principles, or IT-security guidelines, to set up practices that help tackle the most relevant or most high-risk problems.
Making a risk assessment can seem like an extensive task, but it doesn't have to be. To help you get started we have created a free risk assessment template. The template is easy to use, but if you want guidance, you can follow this risk assessment step by step guide.

Making privacy tangible with design principles
Most organisations struggle to incorporate privacy into practice. This is an issue not to take lightly, as protecting privacy should be one of the main goals for your cybersecurity work. Design principles can help you make privacy more tangible and easier for your team to work with. These principles ensure a proactive approach, so that employees can include privacy already at the start of new projects and avoid waiting until a problem occur - as is often the case with privacy.
These are the 7 principles to privacy by design:
-
Proactive not Reactive; Preventative not Remedial
-
Privacy as the Default Setting
-
Privacy Embedded into Design
-
Full Functionality – Positive-Sum, not Zero-Sum
-
End-to-End Security – Full Lifecycle Protection
Find out what using the privacy by design principles in real life can look like. Whether or not you choose to follow these principles, it’s good to remember that your goal when working with privacy should always be to ensure it isn't breached to begin with.
The time has come for you to put the methods into action
We know that changing the habits and behaviour of employees is difficult, but it becomes a lot easier when they can reason and understand the value of doing something different. We hope that you put the ethical use of data methods into practice so that you can strengthen your cybersecurity culture and keep people's data protected.
If you want to learn more about data ethics or other cybersecurity related topics, you can do so through our awareness training courses. Right now, you can try all our courses for FREE up to 14 days.
If you have any thoughts or comments about the article or anything else cybersecurity related, don’t hesitate to contact us.