Skip links

“GDPR is What we Must do. Data Ethics is What we Want”

Emento is one of the most data ethical organisations in Denmark. Data ethics is used to create new opportunities rather than being a limitation.

Emento’s website is liberatingly free from any kind of cookie banner. The website is stripped of third-party cookies – including Google Analytics. They have been abandoned because it is opaque what data is used for and who it is shared with. According to GDPR, you are allowed to use third-party cookies, as long as you do it in the manner prescribed by law. But maybe you also want to be data ethical and completely remove the little spies that share data with thousands of other companies in the ad-tech industry?

Emento, which sells a digital process guide platform for the healthcare sector, has won the first data ethics award in Denmark. The company thinks about everything they do and don’t do with data, and they succeeded especially in anchoring their work with data ethics across the organisation. Data ethics is not a project or a task. It’s a business strategy, says Lyng Salling, the company’s DPO, who joined Emento when there were only six employees. As a graduate in Innovation Management, she was the only one without a technical background. As a result, tasks related to data protection quickly landed on her desk.

“For non-lawyers, GDPR is a bit difficult to dance with. I needed to start with common sense and something that was easier to work with, so we started with DataEthics.eu’s data ethics principles,” explains Lyng Salling.

She has an education as a DPO (Data Protection Officer) and she also leans on a group of lawyers that Emento has assigned as external DPOs. The collaboration contributes to an in-depth understanding and compliance with GDPR, which of course is a prerequisite for data ethics. Emento’s GDPR compliance is audited via ISAE3000 – where external auditors audit everything related to GDPR.

However, Lyng Salling thinks that Emento’s data ethics can embrace a broader scope than GDPR.It’s about fundamental human rights and therefore also covers upcoming regulations such as NIS2 and the AI act. This makes it easier to incorporate into company culture and business strategy.

Danish and German Cloud Service

Unlike most other Danish companies, Emento does not use large US cloud services. The health authorities buy hosting through Emento, and Emento has therefore been through a thorough selection process. In Germany, they use a German solution with a German headquarter, and in Denmark they use a Danish solution.

In addition, Emento is very conscious in its choice of services and sets default settings to not share data. If this is not possible, they find an alternative, e.g. they use Deepl.com instead of Google Translate, because with the latter they don’t know where data is stored.

When the Law Stands in the Way

Lyng Salling, who has worked with data ethics for almost six years, has a specific challenge where GDPR prevents them from being data ethical.

“Under GDPR, you have a duty to inform users.Most have a privacy policy for this, but we are only responsible for the patients’ profiles in our system, so we only have to inform patients about the data in their profile, while the healthcare system is responsible for data in connection with their course of treatment. So patients need to read both our privacy policy and the public sector’s privacy policy.Because we have this principle of openness and transparency, we chose to inform patients about everything in our privacy policy, but we are not allowed to do that. We have to delete that. So in this way, the legislation prevents us from being transparent and data ethical.”

Today, there are 25 employees in Denmark and 14 in Germany, and Emento is looking into more exciting international markets. Perhaps they will include data ethics in their ISO-27002 control framework, so that external auditors can confirm that what they say, they do.

Artificial Intelligence is a Challenge

Another big challenge is AI. Emento currently has an acceptable use policy for generative AI, GenAI.

They have planned an AI week where all employees must have a thorough understanding of GenAI. They are then tasked with coming up with ideas on how AI can improve their work tasks. Together, they will have some discussions about data ethics and security considerations for each proposal.

Lyng Salling explains that Emento places the same ethical requirements on their suppliers as they do on themselves.

“But it’s important for me to emphasise that we use data ethics to create opportunities. We make choices and opt-outs.And it is first and foremost about how we can use data in a positive and responsible way.”

Lyng Salling is also humble and realistic when setting the data ethics bar for Emento.

“We try as much as possible to share our knowledge about data ethics so that others can start somewhere that makes sense to them. We ourselves try to create a meaningful balance between our stance on data ethics and the business, but with the opt-outs and opt-ins we make, we make sure that we have peace of mind no matter what.”