Danish companies want to make it a competitive advantage to behave ethically with personal data and are therefore about to establish a seal for ‘good IT security and responsible data use’. It is backed by the Danish government, and The Danish Industry Foundation is funding the initiative where there is no independent auditing or governance.
The goal of the data seal is to give Danish companies a boost in data security and make it more attractive for them to handle data responsibly, according to a prototype report (in Danish) initiated by the Danish Business Authority and made by KL7, a Danish company working with behavioural design (nudging).
To develop the prototype, including the criteria, KL7 spent a month on a ‘design-sprint’. Via email it asked 36 experts in responsible data use and 20 experts in data security (how many answered is not known) through a multiple choice like questionnaire to state what was ‘very important’, ‘important’, ‘less important’ and ‘not important’. All average scores less than ‘important’ were removed.
The 8 criteria are:
- Embedded in top managemnt. Is the top management taking responsibility over IT security and data use?
- Technical IT security. The company lives up to current standards for IT security when it come to anti-virus, firewall, software etc.
- Subcontractors data usage. The company has made a risk assessment of all their subcontractors and in case of a critical risk assessment it has made a plan of action
- Control of own data. It is easy for consumers and partners to understand which data are necessary to deliver a service and to change whether they accept the treatment of non-necessary data.
- Awareness and security among staff. The staff is regularly traind, tested and evaluated when it comes to awareness and competences in treating data and data security
- Fair and non-biased algorithms. The company trains its algorithms on data which represents a group of people and has a process to de-bias automated decisions.
- Clear communication The company’s privacy policy is easy to find and understand for everybody and decisions made on profiling and automated processes are transparent and communicated in a clear language
- Non-personalised data. The company has a clear goal and concrete strategy on how do anonymise and pseudonomise personal data.
According to the press release, the companies’ trade organisations (DI, DE and SMVDanmark) will run the secretariat, who will also be responsible for auditing (themselves), and a board – also with the Consumer Council in it – will oversee it.
As an independent thinkdotank, DataEthics.eu has not been involved in this work. DataEthics.eu was represented in the original government-appointed commission, who recommended establishing a data ethics seal, but we advised that it should be done with independent auditing and governance .
