Skip to main content

Data protection day: Privacy as a fundamental aspect of ESG

Share this page

Environmental, Social and Governance (ESG) requirements are increasingly higher on the agenda for many companies as they are today an important criterion for investors, customers, suppliers and employees to decide whether or not to engage with a company. 

Traditionally, the term "ESG" is associated with "classic" negative human and environmental impacts such as forced labor, child labor or greenhouse gas emissions. This e-zine demonstrates that privacy and data protection are equally fundamental aspects of corporate social responsibility and sustainability, and that a responsible ESG policy goes beyond mere compliance with applicable privacy laws.

An appropriate privacy policy entails that a company respects the three ESG criteria in the manner it handles data.

Under the Governance aspect, companies must ensure the fundamental rights to privacy and data protection of natural persons when processing personal data. In this regard, the General Data Protection Regulation (GDPR) gives natural persons more control over their personal data, forces companies to process this data lawfully and transparently, and ensures effective enforcement through serious sanctions. 

Companies are already held largely responsible under the GDPR for the processing of personal data by (internal or external) parties. For example, a company must enter into a data processing agreement with each processor and a transfer of personal data to processors outside the European Union must provide appropriate safeguards for the protection of the rights of natural persons. This can be done for example through the adoption of binding corporate rules at the group level.  

The importance of sound privacy policies towards business partners is further emphasized in the recent ESG-specific legislation. Based on the observation that existing EU legislation does not always apply to the value chains of companies outside the European Union, the proposed Corporate Sustainability Due Diligence Directive (CSDD Directive) encourages companies to assess and manage human rights violations regarding privacy and data protection across the entire, global value chain through appropriate due diligence measures, following the OECD Due Diligence Guidance for Responsible Business Conduct. Data supply chains are no exception, as they are often a source of data breaches or other unlawful processing of personal data.

Today many companies rely on voluntary standards such as the Global Reporting Initiative (GRI) Standards for their ESG reporting. Under GRI Standard 418, companies commit to providing information about their effects on customer privacy, specifically in connection with complaints about data breaches and loss of customer data.   

However, the link between privacy and ESG goes beyond compliance with privacy laws or standards. Given the far-reaching nature of data-driven technologies such as artificial intelligence and big data mining, companies need to be more aware than ever of the ethical implications of certain processing (the Social aspect). This is even more true when special categories of data are processed such as health data, genetic data or data on ethnic origin. After all, companies have a social responsibility to protect personal data. Administrators will have to weigh the trade-off between their long-term reputation and short-term profits from unrestrained data processing, as shareholders will be increasingly mindful of the ethical growth of their companies. 

Moreover, there is also an Environmental aspect to privacy and data protection that should not be underestimated. Maximizing the commitment to the principles of minimal data processing and storage limitation, exchanging physical data centers for cloud storage whenever possible, and deliberately using energy-efficient technologies, will lead to a more sustainable environment for people and planet. 

In short, privacy and data protection are inseparable from ESG and go beyond GDPR compliance. Responsible data management (both internally and with respect to the global data supply chain) is essential to maintaining the necessary trust of customers, employees, business partners and investors.