The Challenge of Handling Data Ethically

Internal Auditor’s latest winning scholarship essay discusses the ethical issues that can arise in an organization’s collection, use, and analysis of data, and how internal audit can help.

Comments Views
Daniel Regan

​With new territory comes new ethical issues. Rapid developments in technology have provided organizations with more data than ever before, but they have come at a cost. Management and internal audit must work together to define ethical issues relating to handling data or risk heavy fines resulting from noncompliance to severe data privacy regulations, which will soon affect organizations in Europe (Piper, 2017).

The increase in cybercrimes and data thefts has eroded customers’ faith in data and left businesses to determine how much time and resources they should invest in securing data from being stolen (EYGM, 2017). To compound the complexity of the problem, there are growing concerns regarding privacy rights as they relate to how data is collected, used, and retained. The use of data is not always clear upon collection, which creates an enormous challenge of explaining to data subjects how their data is to be used. Moreover, data subjects may not always know to what they are giving consent. Although a compliance-based approach may fail to address this ethically sensitive area, internal audit can help organizations navigate the challenge of ethically handling data (Piper, 2017).

Management’s responsibility is to identify, assess, and address emerging risks (Marks, 2016), but internal audit can add value to this process by understanding the organization’s data privacy risks and controls and by supporting the effectiveness of controls with a risk-based approach (Piper, 2017). Questions should be asked like “How does a company store personally identifiable information, and who owns it? How does it [the company] address regulatory issues and privacy breaches?” (Blanchard, 2015) What are the risks associated with data being used in a way that deviates from its intended use? Internal audit must think beyond IT application and general controls to help management protect data access and use.

Internal audit can also provide suggestions to mitigate identified risks and build trusted relationships, such as establishing formal requirements for addressing privacy obligations. According to EY, “fifty-four percent of organizations have no formalized requirements for addressing privacy obligations while using big data.” Along with privacy obligations, internal audit may suggest minimizing or de-identifying personal information (EYGM, 2017). It is important for internal audit to connect these suggestions to specific business objectives when educating management through their audits (Piper, 2017).

Data cannot be ignored; virtually every business is driven by data. The threats that data presents to organizations are unparalleled, but internal audit may be the key to helping organizations answer the question, “What does data mean to the success of our company both today and tomorrow?” (Piper, 2017).​


Blanchard, Rob. (2015). “Big Data Risk and Opportunity.” The Institute of Internal Auditors. Retrieved from

EYGM. (2017). “Big Data: the Growing Trust Deficit.” Cybersecurity, EYGM. Retrieved from

Marks, Norman. (2016). “Internal Audit and the Internet of Things.” The Institute of Internal Auditors. Retrieved from

Piper, Arthur. (2017). “In Safe Hands.” The Institute of Internal Auditors. Retrieved from

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

Comment on this article

comments powered by Disqus
  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3