Compliance is the floor, not the ceiling.
An organization that does exactly what GDPR requires has met its legal obligations. But legal compliance and ethical data use are not the same thing. Cambridge Analytica was, technically, operating within the consent framework Facebook had established. That didn't make it right, and the reputational damage to Facebook was catastrophic.
The most sophisticated CDOs build a data ethics framework that goes beyond regulatory compliance. Not because they're idealists, but because institutional trust is a competitive asset.
Trust is quantifiable. Apple's "Privacy. That's iPhone." marketing campaign was a commercial strategy, not a moral statement. After the Cambridge Analytica scandal, consumer surveys consistently showed that a significant minority of Facebook users reduced their usage due to privacy concerns. WhatsApp lost users in Europe to Signal and Telegram after its privacy policy update.
Edelman's Trust Barometer shows that consumers are increasingly factoring data privacy into purchase decisions, especially for brands handling sensitive data (financial, health, children). A 5% reduction in customer trust in your brand translates to measurable revenue impact in markets where competitors have built a trust advantage.
Cambridge Analytica harvested data from 87 million Facebook users without their explicit knowledge or consent, using a personality quiz app that collected not just the quiz-taker's data but the data of their friends. Facebook had allowed this practice through its platform APIs.
Was it legal under Facebook's Terms of Service at the time? Arguably yes. Was it ethical? Clearly no. Did it matter? Facebook's market cap dropped $100B in the days following the story. Zuckerberg testified before Congress. The EU accelerated GDPR enforcement. Facebook (now Meta) paid a $5B FTC fine, the largest privacy fine in US history to that point.
The lesson: what users and regulators permit today can become a scandal tomorrow when practices that were technically legal are judged by evolving ethical standards. The CDO who asks "is this right?", not just "is this legal?", protects the organization from this risk.
Vérification des acquis
1. According to the lesson, how many Facebook users had their data harvested in the Cambridge Analytica scandal?
2. What was the amount of the FTC fine Facebook (Meta) paid following the Cambridge Analytica scandal?
3. The lesson references Edelman's Trust Barometer to support which broader argument about data ethics?
4. Select ALL correct statements about the Cambridge Analytica case as presented in the lesson:
Sélectionnez toutes les réponses correctes.
5. Select ALL reasons the lesson gives for why sophisticated CDOs build data ethics frameworks beyond regulatory compliance:
Sélectionnez toutes les réponses correctes.
Principle 1: Proportionality
Collect only what you need for the declared purpose. If you're collecting location data to estimate delivery time, you don't need precise GPS coordinates, a zip code is sufficient. The principle: minimum necessary data for the stated purpose.
Principle 2: Transparency
Users should understand what data you collect, why, and how it's used, in plain language, not legal terms. The "newspaper front page test": would you be comfortable if The Guardian published exactly how you're using this data? If not, reconsider.
Principle 3: Fairness
Data use must not create unfair outcomes based on protected characteristics. Algorithmic bias, where models trained on historical data perpetuate or amplify discriminatory patterns, is both an ethical problem and an increasing regulatory one (the EU AI Act explicitly addresses it). A credit scoring model that systematically disadvantages applicants from certain postal codes (a proxy for race or income) may be technically accurate but ethically problematic.
Principle 4: Accountability
Someone must be accountable for data ethics decisions. In most organizations, the Data Protection Officer handles legal compliance. The CDO should own the broader ethics agenda, including AI ethics, algorithmic fairness, and data use beyond personal data.
Leading organizations are creating Data Ethics Boards: cross-functional bodies with authority to review proposed data uses against ethical standards, beyond legal compliance.
Membership: CDO, DPO, CHRO (employment data), CISO (security), Legal, and external members (ethicist, consumer advocate, or academic). External members are essential, they provide independence that internal members can't.
Mandate: Review any proposed data use that is novel, sensitive, or ethically ambiguous. Decisions are documented and create precedent. The board's role is advisory but influential, a "no" from the ethics board should require CEO-level override.
Apple, Microsoft, and IBM have published their AI ethics frameworks publicly. Use them as references for building your own, and be specific enough that your framework gives practical guidance on real decisions, not just abstract principles.