It may not be immediately obvious how privacy is relevant to ESG, or Environmental, Social and Governance. There is no ‘P’ or even a ‘D’ for data or data protection. In Your ESGuide in 5, we look at how privacy is, in fact, increasingly central.
- Privacy is central to Governance
Privacy most obviously falls within ‘G’ – the governance element of ESG. Over the last few years, privacy regulation has moved from principle-based requirements (follow the rules and you will be compliant) to heavy governance and accountability-based legislation (you can’t just follow the rules, you have to demonstrate how you do so). This has been most notable in the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, but governance now sits at the heart of data protection laws around the world. In fact, some form of privacy laws are now in place in over 80 countries globally.
Companies must: deploy appropriate data collection and processing practices; facilitate rights requests from individuals regarding their data and ensure internal accountability; implement privacy by design and default; and establish technical and organisational measures and security standards amongst other things. Failure to comply can lead to steep fines, increased legal liability, and is a major red flag for reputational damage. None of this can be achieved without good governance structures and policies.
- Privacy can also be found in Social
Privacy is also highly relevant to the social arm of ESG concerns. Companies have a responsibility to protect the privacy and information of their employees and customers, and customers and investors are increasingly making decisions on companies’ privacy credentials. The most recent annual report from the UK data protection regulator, the ICO, states that 77% of those surveyed in 2021 agreed that protecting their personal information is important to them.Data protection compliance lies firmly in the realm of ethical business practices and, as the Institute of Business Ethics has repeatedly pointed out, companies need to demonstrate that they are carrying out their core business to consistently high ethical standards. The societal impact of data use and the privacy impact of new technologies including the growing use of AI, facial-recognition and the metaverse, combined with the focus on big data in digital transformation programmes, means this is imperative and the challenge to companies to prove they are responsible is only going to increase.
- Don’t forget the Environmental factors
Although not so immediately apparent, privacy is also relevant to the environment. Climate change is one of the highest priority factors on everyone’s ESG investment wish list, and a study by Jet Global suggests that data legislation is actually saving 360 tonnes of CO2 from polluting the atmosphere every day. This is because of key principles under the GDPR, such as data minimisation (only collecting necessary data) and storage limitation (not keeping personal data for longer than you need it), as well as opt-in requirements leading to a reduction in the number of marketing emails that are being sent.
- Good privacy practices can frame broader success
Given how privacy therefore already sits across all three limbs of ESG, it can be an incredibly useful base for wider success and improvement of ESG credentials. Without even having considered ESG specifically, companies who have invested time and resource in their privacy programmes since the implementation of GDPR in 2018 may find they have already created governance structures, review mechanisms and forms of engagement with users that can also be tailored for other elements of ESG. Companies that have privacy board reports and discussions, data ethics councils, and have reflected on how they want to be seen in terms of privacy protection will be able to broaden or duplicate such hard work for wider social and environmental reflection and engagement.
- The P: Ignore it at your peril
Taking responsibility for what you do with data, and showing the steps you have taken to protect people’s rights, not only results in better legal compliance, but also offers you a competitive edge. What’s more, if something does go wrong and you cannot show good privacy practices, it may leave you open to fines and reputational damage. In 2021 alone, GDPR fines totaled more than €1 billion. Aside from fines are the risks of lost investment and consumers walking away.