The processing of personal data ought to be lawful, fair and transparent and should meet the reasonable expectations of the individuals concerned. This ethical principle is not only behind the European Union’s General Data Protection Regulation (GDPR), which became law in 2018, but is also a guide to robust ethical corporate behaviour generally.
Organisations that come within GDPR’s jurisdiction need to be able to demonstrate they have a lawful basis for processing data – by obtaining the consent of the individual, fulfilling the terms of a contract or meeting the legitimate interest of the organisation. They also need to be able to explain in clear terms what the processing is about, including the logic behind any automated decision-making. Where the processing activity presents a high risk to individuals or society, then a data protection impact assessment should be carried out and appropriate measures put in place to help mitigate the risk.
As a rule of thumb, quite apart from any legislative requirements, data should be sourced and shared responsibly. If organisations are unaware of the provenance of data and unsure whether data is properly protected when shared with third parties, the risk of data breaches rises.