Is your privacy programme supporting your ESG efforts?

Finding privacy in ESG

There are many ESG frameworks and models. Finding privacy in some of them isn’t always easy.  The word privacy is nowhere to be found, in spite of the fundamental importance of personal data in driving positive social outcomes. Data privacy and security is called out directly in a few of the leading third-party products. The ESG standard that your company chooses will determine if privacy outcomes are a direct or indirect contributor to higher ESG scores. 

The easiest starting point for many companies will be in the governance component. Because of the growing importance of employee and consumer data to businesses in every sector, demonstrating the effective governance of privacy programmes is now a board-level responsibility. It’s easy to foresee a time when formal attestations of privacy programmes or the adoption of binding corporate rules – where boards are directly accountable for privacy programme performance – contribute to the governance component of ESG scores.   

Depending on the sector and business model of a company, privacy outcomes could also bump up scores in the social component. As companies implement data-intensive technologies and artificial intelligence, they’ll need privacy and data ethics programmes that are not only designed to sustain regulatory compliance, but also to achieve positive social outcomes like reducing disparities among racial, gender and socioeconomic groups through their products and services. 

Entering ‘personal data sovereignty’

Another way to measure the contribution of a privacy programme is to quantify its performance on personal data sovereignty. This is the ability of people to control their personal information. Why is this important for ESG purposes?

First, it’s already needed for basic good governance. Since the start of the EU GDPR, for the first time people now have the right to access and delete their personal data. More importantly, in a data-driven economy, disadvantaged people need to know more than anyone how data is used to make decisions about them, and what they can do about it. Personal data sovereignty – while still limited by our ability to understand complex data ecosystems – can nonetheless enable people to achieve their full potential. 

From a privacy programme perspective, it means three things:

• Offering the basic privacy rights of access, correction and erasure generally
• Encouraging people to engage and exercise these rights, and
• Deploying effective pseudonymisation capabilities to be able to use data to achieve social goods in a tripolar privacy world of increasing data localisation and restriction.

Other aspects on how to contribute towards the ESG agenda might include centralising technology in the cloud to reduce costs for physical server rooms or promoting data minimisation and reducing data footprints. These actions have a long-term impact on the environment: if the need for data storage decreases, the necessary server space and the energy required to store data also decreases. 

This is how a chief privacy officer can engage in their company’s ESG programme.

Outlook for privacy strategies

Most companies started the century with de facto privacy strategies of sustaining compliance and reducing risk. The growing and varied array of privacy laws around the world and the accelerating adoption of new technologies and data analytics made achieving these strategies a challenge in its own right.

The growing worldwide public demand for socially responsible commercial enterprise has ushered in a third strategic imperative for privacy programmes: trust. By connecting with their ESG initiatives, privacy leaders can show how their programmes are enabling the responsible use of data and technology to create sustainable value.

Besides that, investors will be increasingly treating data privacy as an indicator of an organisation’s ESG approach. Shareholders will also be interested in the ethical growth of the company.

Remember that data privacy is not negotiable. In Article 12 of the Universal Declaration of Human Rights, the United Nations already considered data privacy as a fundamental human right. More than ever, companies now have a social responsibility to respect personal data. Wise judgment must be made regarding reputation on the one hand and profits derived from third-party data collection use on the other hand. To build a level of trust of privacy that had been lost, privacy needs to be positioned as a social value.

For more information on how to best integrate the topic of data privacy into your ESG programme, please contact one of our experts. 

Do you have any questions about our services, or would you like further information?

We look forward to hearing from you!

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en