Privacy and ESG

Environmental, Social, and Governance or ESG, has catapulted up the corporate agenda in recent years, and although 137 countries have some form of data and privacy legislation in place, there is still very little thought leadership around the role of privacy in ESG.??

The most obvious area for privacy to be recognised as part of the ESG framework is in the Governance of data, where data protection and privacy laws expect good data management practices to be in place to ensure that an individual’s data is safe, and only accessible by the right people. This includes consumers, employees, and suppliers who may demand access to their data as part of a data subject rights request. Furthermore, the Governance element covers the need to ensure that companies are accountable for complying with data protection laws by having in place an appropriate escalation mechanism reflected in their Operating/Governance Model.?

Data Subject Rights is a fundamental component of the GDPR, CCPA, and other global privacy laws as well as a poor performer in the Global Privacy Culture Survey (GPCS). Management of these essentially human rights requirements not only demands good governance, but serious consideration of societal impacts should these rights be infringed by inconsiderate and potentially unethical use of data, for example by automated decisions leading to inappropriate marketing or discrimination in recruitment.?

Finally, if we look closely at another one of the worst performing areas of the (GPCS), Retention and Deletion, the question of how long we should keep data for is an equally challenging task for the IT and Cyber Security functions in an organisation as it is for Privacy. There is often a continued reluctance by business leaders to let go of data ‘just in case’, together with the tendency to collect more data than necessary, and this increases the risk of personal and commercial data loss following a breach, and the potentially enormous consequences for companies and individuals that follow.? This is now compounded by the availability of low-cost cloud-based storage which enables businesses to put off the retention and deletion ‘problem’ - but at what cost to the environment??

Privacy clearly straddles all three arms of ESG and should be a key driver for a solid alignment between the responsibilities of the DPO, CISO, CDO, and CIO to ensure that both personal and commercial data is protected and managed in an ethical and responsible way that solidifies consumer, supplier, and employee trust.?