Both your company’s data supply chain and its physical version have fundamentally similar business risks. Given the consequences of unethical practices along both, enterprises can no longer ignore how data is sourced, how it is managed or where it is going.
While many organizations go to great lengths to monitor their physical supply chain, their data supply chain often gets short shrift. For any company interacting with large sets and various streams of information, this can represent a significant exposure to risk.
Since the first investigation under the U.S. FCPA concerning a third party acting on behalf of a U.S. company was initiated nearly 40 years ago, upholding integrity in global supply chains has garnered attention. Rightfully so, as compounding risks in physical production and movement of goods abound upstream (e.g., forced labor, conflict materials, environmental impact) and downstream (e.g., bribery, fraud, misuse).
Business Integrity and the Data Supply Chain
Not only have these risks accounted for a sizable portion of the nearly $30 billion in sanctions paid in FCPA enforcement actions, but they are the source of immeasurable costs in legal fees, reputational impact and market loss. It is now well-established that businesses can be held legally and/or socially responsible for ethical lapses in the extended supply chain in which they participate, even where direct involvement may be limited.
A1) Current org is working hard on supply-chain-of-data initiatives feeding a #cloud-based #DataLake (after initial, on-premises builds). What kind of analytics are the biggest data consumers is an open question, changing daily. #ciochat
— Chris Petersen (@CPetersen_CS) February 20, 2020
What about the data supply chain? Global enterprises regularly collect, manage and share data throughout their business operations as well as through partnerships and requests from external researchers. Just as business integrity risks can flow from human activities in the physical supply chain, so too can they flow from underlying human activities in the data supply chain.
Where Are the Risks?
While multinational enterprises maintain robust integrity processes to monitor and respond to ethical risks in the physical supply chain, many companies have yet to create the same for ethical risks in the data supply chain, which are rapidly evolving. There are four key components to consider in maintaining integrity in the data supply chain, including:
Data Collection
Is the data that your company collects, directly or through vendors, ethically sourced? What are the values or principles that constitute ethically sourced data in your industry? What are the potential consequences of ethical dilemmas in data collection?
Data Management and Use
Is the data that your company has already collected being properly maintained and utilized? If the data was ethically sourced, how is the company ensuring it will remain so? How will your company avoid “corrupting” data in a new way, not by introducing errors, but by merging ethically sourced data with unethically sourced data? Has the original intent for how the data will be used changed under your care?
Data Sharing
Is the data your company shares with other parties, directly or through vendors, ethically constituted? How will your company avoid sharing unethical data and thus becoming party to its spread? What are the potential consequences of ethical dilemmas in data sharing?
Data Retention and Disposal
What are the ethical values driving how your company chooses to retain or dispose of data? How does the retention or disposal of data benefit the stakeholders you serve or with whom you interact? What are the potential consequences of ethical dilemmas in data retention and disposal?
What Is the Magnitude of the Risks?
The consequence of ignoring these factors could be significant, encompassing both specific legal risks as well as reputational damage and market loss. For example, depending on the nature of the business, provisions in the European Union’s General Data Protection Regulation (GDPR) and the U.S. Health Insurance Portability and Accountability Act (HIPAA) can present several areas of exposure.
What’s more, core human rights due diligence principles, such as the United Nations Guiding Principles on Business and Human Rights (UNGPs), further influence how businesses should navigate these risks. For example, business activities along the data supply chain, including in cooperation with partners, should be supported by policies and procedures to ensure the identification, prevention and mitigation of adverse human rights impacts.
Consider these examples of risks arising along the data supply chain:
- Suppose that a leading technology enterprise is celebrating a groundbreaking ethical approach on the use of artificial intelligence across its business, only to realize the data they are collecting and feeding into that approach is unethically sourced.
- Suppose that a biopharmaceutical enterprise submits regulatory approval for a new product, only to realize that the data collected from outsourced clinical trials is based on insufficiently informed consent.
- Suppose a media enterprise harnesses social media data sourced from children that was intended as private communications, merging this data with ethically sourced commercial data to shape the company’s marketing strategy.
- Suppose an industrial enterprise shares sensitive, ethically sourced data with an external organization without sufficient due diligence, resulting in this data becoming integrated with unethically sourced data and/or being utilized in an unethical manner.
It is possible that businesses, both individually and across entire industrial sectors, may face considerable penalties and possibly even lose their “social license” to use data through a severe loss in trust. However, unlike the consequences from ethical lapses in the physical supply chain, the consequences of losing a social license to use data in today’s economy would be akin to removing the tracks from a railway system.
How Can Businesses Respond?
Businesses need a strong and constantly improving framework to predict, assess and manage ethical risks in the data supply chain. Because of the collective risks associated with misalignment within the same sector (i.e., one bad actor can threaten the social license to operate for good actors), it is advisable that leading businesses within the same industries embrace a co-created approach with peers and partners that harmonizes high-standards, ideally in collaboration with policymakers and civil society where appropriate.
To implement these ethical frameworks, it is also likely that many businesses will need to enhance demands with data vendors, even those with significant market power. This was the case several decades ago, and in many places is still true today. It held true for companies and their third-party suppliers and distributors that interacted with their physical supply chains. Significant due diligence processes were established for third parties to prevent bribery and other ethical violations. Similar expectations will soon be upon us to align vendors with upholding integrity in data supply chains.
Businesses will also need to successfully communicate and advocate the importance of the data supply chain on innovation and improving quality of life for everyone across society. This advocacy should be well-balanced with the prevention of ethical lapses and the remediation of them as they occur. Businesses can demonstrate and partner with governments and other stakeholders to strive for this balance, rather than responding to challenges by overly limiting the efficacy of the data supply chain. It is just too important to forego.
Getting a head start on a strong ethical framework to mitigate the consequences of ethical lapses will provide a notable advantage.
Andrew Blasi is a Director for 
Nicholas Diamond is a Director and leads the Global Health Group for C&M International and is an Adjunct Professor of Law at the Georgetown University Law Center.
