Partner Article

Understanding Data Security & Privacy in ESG

Organisations are paying more attention than ever to privacy protection. Data privacy and security should therefore play a prominent role in ESG policies.

Those that don’t put Environmental, Social and Governance (ESG) policies front and centre stand to lose out. Why? ESG performance has become a competitive differentiator for stakeholders, from investors and employees to suppliers and consumers.

Conversely, an effective ESG strategy can positively impact a company’s financial performance, reputation and risk management.

Indeed, a strong ESG proposition can create value for businesses in five core ways: facilitating top-line growth, reducing costs, minimising regulatory and legal interventions, increasing worker productivity, and optimising investment and capital expenditures.

Data privacy & security is an ESG win

With climate change an ever-pressing concern and mandatory reporting requirements enshrined earlier this year, the focus has been on the environmental pillar.

But privacy and security – traditionally seen as social matters – are fast becoming areas to concentrate on, with analysis by Bloomberg Law confirming an increasing number of companies consider data privacy an ESG matter.

That sentiment is echoed when it comes to investors: cybersecurity is their second most concerning ESG issue, behind anti-corruption. Moreover, it’s increasingly clear that people care about the ethical use of their data, demanding accountability and transparency from the businesses they interact with.

Supporting that is a consumer survey from the Open Data Institute (ODI) and YouGov, revealing that 87% of respondents feel it is important that organisations use their data ethically.

However, with trust levels falling below 50% across several sectors – financial services, utility providers, and the government – there’s still work to do. To remedy that, incorporating data privacy and security into ESG comes into play, helping companies build a reputable brand.

ESG security & privacy moves beyond compliance

While robust management of personal and sensitive data should be built-in by companies, many jurisdictions have a formalised approach via laws like the EU’s General Data Protection Regulation (GDPR). With that in mind, compliance teams must understand the legislation that applies to them and disclose breaches accordingly.

Impact on social

But stakeholders are increasingly seeking more than regulatory compliance: a 2021 survey by PwC highlights that 83% of employees and 76% of consumers are more likely to work for or buy from a company that stands up for social issues.

And so, by going beyond the traditional ‘regulatory compliance’ approach and including security and privacy metrics in the social element of ESG policies, businesses identify related issues that lay outside the legislative arena. In turn, that improves transparency, data management and risk mitigation. Embedding privacy and data ethics into ESG strategies also highlights strategies, practices and safeguards that aren’t captured in financial statements.

Impact on environmental & governance

The environmental dimension is also positively impacted. How? By linking data privacy and security with ESG, companies can promote greener ways to collect, process and store data, reducing their carbon footprint. Meanwhile, robust internal data protection and security policies ensure regulatory compliance and assure stakeholders that data handling is ethical, strengthening governance.

What are the GRI Standards?

Many companies use an ESG framework as a systematic way to set goals, implement strategies and track progress. As part of that, they may voluntarily leverage third-party reporting standards.

The GRI Standards are the most widely used. Divided into Universal, Sector and Topic Standards, they “enable organisations to understand and report their impacts on the economy, environment and people in a credible and comparable way, thereby increasing transparency.”

By evaluating performance according to standardised criteria, The Standards are relevant to companies and stakeholders. For example, via GRI 418: Customer Privacy, firms disclose “substantiated complaints concerning breaches of customer privacy and losses of customer data”.

Businesses may leverage ESG standards in their sustainability or impact reports, highlighting achievements and updates. For instance, Mastercard’s 2021 Sustainability Report outlined cybersecurity principles and an expanded commitment to data responsibility and privacy.

What does your ESG security & privacy policy need?

A successful ESG strategy is built around the three pillars – environmental, social and governance. It involves general aspects like securing support from the C-suite, setting controls and procedures, arranging compliance oversight, conducting due diligence, providing relevant training and responding to breaches effectively.

From an ESG security and privacy perspective, additional considerations include:

Establishing an ethical data-use vision tailored to a company’s industry context Determining data ownership and a secure risk escalation process Exploring how to factor privacy and data into existing ESG initiatives Creating a working group to develop a corporate policy position Engaging with privacy, compliance and digital ethics subject matter experts Setting up a board to address complex privacy and ethical issues

Integrating security & privacy into an ESG strategy

The case for making data security and privacy an integral part of an ESG programme is strong: corporations, consumers, investors and employees see the merits, be it financial, reputational or ethical.

By going beyond regulations and offering transparency, companies highlight the safeguards and strategies they have in place, meaning stakeholders are better informed when making an investment or employment decisions.

Three-quarters of consumers and employees surveyed by PwC said they’d reward companies for accelerating progress on their ESG concerns. Privacy and security positively impact each pillar, so the time is now to put these areas at the forefront of ESG policies.

Samantha Martin-Woodgate is community leader / evangelist at Skillcast, a leading UK provider of e-learning and compliance training. This week, Skillcast will host its annual compliance summit in London which will include an ESG panel.

This was posted in Bdaily's Members' News section by David Stoch .