The Role of Data Privacy and Security in ESG (Environmental, Social, Governance)

Due to the devastating effects of climate change and understanding its significance, investors are committing capital to companies that are vigilant about their environmental impact. This school of thought has led many investors to evaluate a company’s ESG score. ESG, which stands for Environment, Social, and Governance, often refers to either ESG investing or ESG corporate programs. ESG investors look for companies that share their values, and ESG programs are tangible practices that companies implement to attract and retain ESG investors. Research has shown that in 2020, one in every four dollars invested in the United States was allocated into sustainable companies using an ESG evaluation and that sustainable funds attracted a record $51.1 billion in investments. A company’s investment into ESG demonstrates a positive impact on the environment, how much it values customer relationships, and its level of commitment to ethics and compliance.

Background

In the past, privacy policies did not weigh heavily on an ESG or corporate responsibility analysis. However, over the last few years, privacy has catapulted to the forefront of consumer’s minds. Incidents such as the Facebook-Cambridge Analytica case and the ransomware attack of Colonial Pipeline highlighted the need for robust data privacy and security. The Facebook incident, which revealed that it exposed the information of over 80 million users to a political consulting company, has alerted the public to the unscrupulous data processing practices carried out by companies. The Covid-19 pandemic has accelerated the utilization of E-commerce and internet interactions. With more companies offering online services and more consumers choosing to go that route, maintaining privacy and security of consumer data has become a responsibility contributing to companies ethical and social values. With an increased number of global privacy regulations passed last year, corporations are now being held accountable for the privacy and protection of consumer data. Record breaking data breaches and cyber threats have further escalated the need for governing these issues at board level. In 2021, companies can align data privacy and security to their ESG strategy to further bolster ESG scores.

Privacy and environmental impact

The environment factor in an ESG analysis focuses on how a company uses natural resources and the carbon footprint they leave behind. With companies collecting a vastly increased amount of data over the previous years, just making the switch from paper to digital is no longer enough to reduce environmental impact. The more data that is collected, the more storage is needed to store that data. Storing excessive amounts of data requires additional physical server space, hard drives, and other electronics to store information, leading to physical waste and increased energy outputs.

Implementing privacy practices such as data minimization, which calls for only collecting necessary data, can help companies reduce their data footprint, resulting in a greener impact on the environment. While we do not think much while collecting and storing data in the world of unlimited cloud based storage, these actions have an effect long term on the environment. Minimizing the need of data storage decreases the necessary server space and energy required to store the excess data. Collecting and processing only necessary data will also yield less electronic waste, or E-waste, as less physical footprint will be needed. Companies should also establish reliable and secure methods to recycle electronics as E-waste comprises 70% of all toxic waste. Recycling technology can have a considerable positive impact on the environment and a company’s carbon footprint. The Environmental Protection Agency (EPA) estimates that “recycling 1 million laptops saves the energy equivalent to the electricity used by 3,657 U.S. homes in a year and that for every million cell phones that are recycled, 35,274 pounds of copper, 772 pounds of silver, and 75 pounds of gold can be recovered.”

Despite the hazardous effects e-waste causes and the precious materials contained within technology, according to a report conducted by the United Nations only 17.4% of e-waste discarded in 2019 was recycled. The high amounts of waste produced yet the low adoption of environmentally beneficial practices further demonstrate where businesses need to modify their practices in order to be ecologically responsible and attract ESG investors.

Privacy and social impact

The social factor in an ESG analysis examines the relations between a company and the customers, employees, partners, and investors they interact with. Companies that collect and process consumers’ personal information have a social responsibility to adequately protect that information and to respect the privacy of those whose data was collected. While consumer data can provide tremendous value to the business and profits, privacy is a social value that needs recognition and respect. While data privacy regulations provide some rights to consumers regarding the handling of their information, they may not cover everything. Recognizing the need for privacy as a social value can enhance a company’s reputation, boosting an ESG score.

In a digital economy, consumers are placing their money, information, and trust into the hands of companies. Implementing meaningful privacy program should be priority for modern enterprises which governs responsible collection, use, and storage of personal data they own and process. Following guidelines such as OECD privacy principles, will have companies focused on purpose, openness, participation, limitations on use, and collection limitations. Adopting these privacy principles will demonstrate a commitment to society’s expectation of privacy.

To demonstrate purpose, companies should only collect data that serves a necessary business purpose. Collecting excessive amounts of personal and sensitive information has a chilling effect on society’s expectation of privacy. By practicing data minimization, limiting data collection to only what is necessary, corporations can demonstrate that they are only collecting data to better serve their customers.

For companies to exhibit openness, they should be transparent about what data sets they are collecting and for what purpose the data is being collected. Publishing a privacy policy and having it easily accessible will allow consumers, partners, and other stakeholders to easily discover that a company respects the privacy of its user base. Companies should also engage with consumers by enabling them to participate in their privacy preferences. By offering users the ability to opt-out of specific data collection practices or limit what data sets are collected, companies will showcase their commitment to their user base. Taking active steps to properly acquire a customer’s consent demonstrates that a company prioritizes people over profits.

To further boost an ESG score, companies can limit how they use collected data. Without first obtaining consent, businesses should be wary of selling consumer data. Customers put trust into a company when they hand over personal, sensitive, and financial information. For a company to then sell that data to another party will break the trust between customers and the company. Establishing a responsible privacy program will strengthen consumer trust, which will lead to an increase of brand reputation and profits. You can read more about the connection between data privacy and consumer trust here.

Businesses can also limit their use in regards to targeted advertising. Modern data collection has also allowed marketers to track users’ activity across websites to create personalized experiences; this process is known as hyper-personalization. While companies should adopt some of these strategies as consumers trend towards choosing a personalized experience, they need to enact a balancing test between privacy and personalization, as overly personalizing will scare away consumers and investors. Ardent Privacy recently published an article for businesses to gain a balance between personalization and privacy.

Corporations should also give extra consideration when collecting and processing the personal data of minors. Children make up some of the most active internet users, yet they lack an understanding of what information they are sharing and who they are sharing their information with. UNICEF recently published a report detailing how companies can better protect children’s data privacy.

Privacy and Governance

The governance factor in an ESG analysis covers the corporate management structure and company policies regarding compliance, standards, and disclosures. Companies need to ensure they comply with laws that regulate data collection and processing. Current laws, such as the EU’s GDPR and California’s CCPA, regulate companies’ data collection practices, grant consumers rights with how their data is handled, and mandates companies establish reasonable security standards. Failing to comply with these regulations can lead to hefty fines and increased legal liability through private lawsuits for improper data management. The investment firm Equifax fell victim to a data breach in 2017, which exposed the financial information of approximately 147 million consumers. The Federal Trade Commission (FTC) found that the company failed to take reasonable steps to secure its network after failing to fix a critical vulnerability and failed to inform the public about the breach until weeks after it occurred. Equifax agreed to a $575 million settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states. Data breaches will also hurt a company’s stock price. According to an evaluation of recent data breaches, “publicly traded companies suffered an average drop of 7.5% in their stock values and a mean market cap loss of $5.4 billion per company.” Failing to comply with mandated requirements will negatively affect an ESG score and cause investors to question the direction and ethics of a company.

To remain compliant with the rapidly evolving legal landscape of data privacy and security, governance-focused companies will take active steps to actively and effectively monitor their compliance. A strategy many companies have utilized is employing a privacy officer. A designated office for privacy will help with the accountability of staying compliant and responding to consumer requests. Outside of legally mandated compliance, businesses should adopt industry standards for security and privacy. Adopting security and privacy standards, such as NIST privacy framework or ISO 27701©, will help protect against data breaches and ransomware attacks. Corporations that utilize up-to-date standards and technology will demonstrate a commitment to the evolution and importance of data privacy and security. Companies should regularly evaluate and report the state of their privacy and security programs to ensure there are no susceptibilities.

If a data breach were to occur, various laws require companies to disclose the breach to those effected, the public, or government agencies. Companies should have systems in place to quickly contact any required parties, as failure to do so in a timely manner can also result in fines from regulatory agencies. ESG investors look for companies that embrace good governance and industry standards.

Conclusion

As the importance of ESG investing continues to grow, with investments up nearly 90% into sustainable companies in the fourth quarter of 2020 than they were the previous year. Companies need to be implementing comprehensive data privacy and security programs to be aligned with an ESG strategy and measure with ESG objectives. A robust data privacy and security program will not just help with an ESG score, but also demonstrate the commitment towards sustainable practices, which will attract ESG investors. Also, privacy and security teams can use ESG to guide their programs. A comprehensive data privacy and security program should include policies that are environmentally beneficial, socially responsible, and assist with compliance.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.