No doubt you’ve heard of ESG – the acronym for Environmental, Social, and Governance, often known as a measurement for socially responsible companies who care about the impact they make on the world. In fact, the term was coined in 2004 with Kofi Annan's UN joint initiative of a milestone report, "Who Cares Wins." and is the nearly two decades since has become an increasingly regulatory and reputational concern for corporations, investors, and perhaps most importantly, conscious consumers. Today, ESG refers to a set of non-financial metrics that are used to measure the environmental, social, and governance performance of companies. Environmental includes measures related to energy efficiency, pollution prevention, and environmental stewardship. Social includes measures related to employee welfare, community involvement, and human rights. Governance includes measures related to corporate governance, corporate transparency, and executive compensation.
Enter, data protection --the new kid on the ESG block. Call it the merging or perfect storm of three rising concerns:
1. Data privacy and cyber-security issues have become significant drivers of business risk as companies digitize and business models shift toward complex, data-driven products and services.
2. Widespread collection and use of personal data means that data privacy and cybersecurity have become issues for companies across a broad range of industires.
3. Environmental Societal Governance (ESG) is gaining importance in the corporate world.
The outcome is that data privacy and security is becoming a vital component of ESG. Organizations of all sizes now need to have a foundational understanding of how privacy and security for ESG might function both internally, across many dimensions, and externally, as potential selling point to customers. Size does of course matter—one computer, one customer, and one employee vs one million computers, customers, or employees require require different methods to address different ESG needs, but fundamentally there is value in ESG for everyone. Equally important, customers expect information about data protection compliance and standards.
Data privacy and security is integral to all three letters of ESG. For example, companies can find greener ways to collect, process, and store data to benefit the “E” in environment. The “S” in social is met by, for example, protecting personal data from security breaches and insuring privacy. And the “G” in governance pertains to the systems an organization sets up to manage data security and privacy. In short, a company with a good data footprint is better for the environment, builds social value, and is born out of good governance. Yet because dramatic changes are occurring rather quickly in both ESG and the data and privacy fields, the regulation lags behind the need in this space. Cyber threats, data breaches, and volumes of data—as all become increasingly relevant, it’s up to the business world to assume the corporate responsibility that aligns with ESG objectives. ESG is a unique opportunity to step up to the challenges.
Best practices for ESG data privacy and security
What are the best practices for organizations to effectively develop and manage a strategy for data privacy and cybersecurity related ESG issues?
Regulations are the easiest starting point if only because they present clear rules to follow. Sitting down with internal stakeholders to map out ESG, with data protection as a component, can help prioritize internal efforts and then guide the desired reporting inside and outside the organization. Within a global business, identifying specific people who have a critical role and impact in defining and addressing ESG related risk and opportunity is a first step. Everyone– employees, employers, customers, vendors, Board of Directors and investors – may be considered stakeholders in this model. Transparency is also essential as a way to enhance organizational accountability through disclosures as well as to improve customer confidence.
Here are three best practices for building solid ESG strategies.
1. Assign and train a dedicated ESG team to establish goals, markers, and effectiveness of current policies, as well as innovating new ones.
2. Establish a framework to align with appropriate global and regulatory structures. Transparency of processes are an indispensable aspect of that framework.
3. Consider tools to manage, collect, and monitor relevant ESG data. As a time saver, it's invaluable.
Privacy professionals can help customize these practices for individual organizations and approach ESG as a multi-disciplinary effort.
The ESG Ideal
A positive trend is the newly acute awareness, adoption, and meaning of letters that have been around for awhile, yet have lacked shared focus, standards, and definitions. ESG practices are, with time, becoming increasingly effective and refined.
What’s still needed is a harmonization of the regulatory landscape to make it easier to understand and to build a common privacy ESG “language” of sorts. A common language will help facilitate improved action, conversation, and disclosures as well as greatly facilitate the ease of using ESG policies. Conversely, without common standards and definitions, rapid adoption can quickly give rise to greenwashing, the practice of using marketing and public relations to give the impression of ESG while the company continues unhealthy practices. compliance.
As data privacy and ESG become more prominent for consumers as well as investors, companies face significant regulatory and reputational risks if they don’t properly handle and protect data. And perhaps less obvious, companies can receive a lower ESG score on surveys if, for example, they don’t have data minimization policies in place or don’t provide appropriate data ethics disclosures.
Yet even more than reputations and survey scores, organizations that want to be “true to the ESG ideal,” to quote Vishay Salvi, Chief Information Security Officer & Head of Cyber Security Practice at Infosys, “should be guided by its spirit of governance, rather than just the law.”