ROXAS, RENZ MARI P.

FUNDAMENTALS OF BUSINESS ANALYTICS

1421

MWF 4:30 - 5:30 PM

1. Data Privacy

Data is information that can be used as a powerful resource or tool. Different organizations collect data for the
purpose of business analytics. Data can be used to drive decisions and make an impact at scale. Yet, this
powerful resource comes with challenges.

In addition to owning their personal information, data subjects have a right to know how you plan to collect, store,
and use it. When gathering data, exercise transparency. For instance, imagine your company has decided to
implement an algorithm to personalize the website experience based on individuals’ buying habits and site
behavior. You should write a policy explaining that cookies are used to track users’ behavior and that the data
collected will be stored in a secure database and train an algorithm that provides a personalized website
experience. It’s a user’s right to have access to this information so they can decide to accept your site’s cookies
or decline them.

There are many instances wherein data privacy is violated and most information are used unethically. Data
privacy is a serious issue when it comes to business analytics. Firstly, violating data privacy is wrong and
unethical for your consumers. Consent and transparency is very important when it comes to sensitive information
such as personal data.

To protect individuals’ privacy, ensure you’re storing data in a secure database so it doesn’t end up in the wrong
hands. Data security methods that help protect privacy include dual-authentication password protection and file
encryption.

Example

Shortly after the Philippine privacy regulator issued yet another harsh warning this week against privacy
violations — this time related to Covid-19 contact-tracing data — members of a private social-media group on
data protection issues in the country began raising questions about whether these newly announced probes
would lead to anything.

In its statement on Monday related to complaints against 11 establishments, including a mall and a European
fast-fashion retailer, the National Privacy Commission, or NPC, warned that violators could be fined up to 5
million pesos (around $100,000) and jailed for up to six years under the Data Privacy Act.

The regulator’s warnings, however, are losing their ability to provoke fear.
That’s not a surprise. No one has been fined or jailed for violations of the 2012 law since the NPC was set up in
March 2016. Doubts are deepening about enforcement of the law and what that means for the protection of data-
privacy rights in the Philippines.

Of the thousands of complaints and data-breach notifications received by the commission over the past four
years, only a handful have known outcomes — none of which have involved any serious consequences. Many
cases are marked “resolved,” mostly through mediation, but no information has been released about them.

Consequently, questions are now being raised over whether proposed amendments to the privacy law are
needed to enable the NPC to take serious action, or if a lack of political will is what is holding it back.

Possible solutions

The possible solutions that I can think of when it comes to mitigating the violation of data privacy is the proper
use of consent and data transparency for users. This way, we can ensure the privacy of our data from being
used wrongfully.

Data privacy is a legal responsibility of companies to practice. It should also be common knowledge for users
themselves to practice safety when it comes to handling sensitive information such as data.
Data Consent

Giving consent for the proper use of data and information is especially important when it comes to handling data
and business analytics. Proper consent means that you allow the processing of the data that you provide.

Processing an individual’s data without proper consent is both unlawful and unethical. Applying proper data
consent is not only ethical, but build consumer trust and create a good reputation.

Consent is one of the easiest to satisfy because it allows you to do just about anything with the data — provided
you clearly explain what you’re going to do and obtain explicit permission from the data subject. However, as
Google recently learned by way of a €50 million fine, you can’t cut corners. French data protection authorities
said the company’s version of obtaining consent was neither “informed” nor “unambiguous” and “specific.”

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.

“The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.”
It should be clear what data processing activities you intend to carry out, granting the subject an opportunity to
consent to each activity.

In the email address and IP address example, you can’t explain these uses as part of a single, long paragraph
detailing the operations of your marketing team, with a single consent checkbox at the end. Instead, you must
explain each data use case separately, giving data subjects an opportunity to consent to each activity individually.

If you have more than one reason to conduct a data processing activity, you must obtain consent for all those
purposes. So, if you store phone numbers for both marketing and identity verification purposes, you must obtain
consent for each purpose.

Informed consent means the data subject knows your identity, what data processing activities you intend to
conduct, the purpose of the data processing, and that they can withdraw their consent at any time.

It also means that the request for consent and the explanation of the data processing activities and their purpose
are described in plain language (“in an intelligible and easily accessible form, using clear and plain language”).
That means no technical jargon or legalese. Anyone accessing your services should be able to understand what
you’re asking them to agree to.
Data Ownership

Data ownership is the legal rights for the possession of data. A data owner has all the rights for the use of his or
her own data.

Many personal and non-personal parts of our day-to-day activities are aggregated and stored as data by
businesses and governments. The increasing data captured through multimedia, social media, and the Internet
are a phenomenon that needs to be adequately examined. Evolving integration technologies and processing
power have allowed organizations to create more sophisticated and in-depth individual profiles based on their
online and offline behaviors.

However, the issue regarding data ownership is that the data owner themselves are the ones responsible for the
privacy and security of their own data. Data owners should understand the risk associated with the data loss
(hacking, data corruption, stealing and other threats). Data owners should also understand the residual risk after
security controls are implemented.

Treating our data as our property has understandable appeal. It touches what the foundational privacy thinker
Alan Westin identified as an essential aspect of privacy, a right “to control, edit, manage, and delete information
about [individuals] and decide when, how, and to what extent information is communicated to others.” It
expresses the unfairness people feel about an asymmetrical marketplace in which we know little about the data
we share but the companies that receive the data can profit by extracting marketable information.

The trouble is, it’s not your data; it’s not their data either. Treating data like it is property fails to recognize either
the value that varieties of personal information serve or the abiding interest that individuals have in their personal
information even if they choose to “sell” it. Data is not a commodity. It is information. Any system of information
rights—whether patents, copyrights, and other intellectual property, or privacy rights—presents some tension
with strong interest in the free flow of information that is reflected by the First Amendment. Our personal
information is in demand precisely because it has value to others and to society across a myriad of uses.

Treating personal information as property to be licensed or sold may induce people to trade away their privacy
rights for very little value while injecting enormous friction into free flow of information. The better way to
strengthen privacy is to ensure that individual privacy interests are respected as personal information flows to
desirable uses, not to reduce personal data to a commodity.
References:

Cote, C. (2021, March 16). 5 PRINCIPLES OF DATA ETHICS FOR BUSINESS.

https://online.hbs.edu/blog/post/data-ethics

Damazo-Santos, J. (2020, October 14). Philippine privacy regime fails to live up to expectations.
https://mlexmarketinsight.com/news-hub/editors-picks/area-of-expertise/data-privacy-and-
security/philippine-privacy-regime-fails-to-live-up-to-expectations

Wolford, B. (n.d.). What are the GDPR consent requirements? https://gdpr.eu/gdpr-consent-requirements/

Upadhyaya, V. (2017, January 2). What are the issues surrounding data ownership and security?
https://www.quora.com/What-are-the-issues-surrounding-data-ownership-and-security

Kerry, C. (2019, June 26). Why data ownership is the wrong approach to protecting privacy.
https://www.brookings.edu/blog/techtank/2019/06/26/why-data-ownership-is-the-wrong-approach-to-
protecting-privacy/