Making privacy sustainable: Incorporating privacy into the ESG agenda

Data breaches have been rising in frequency and magnitude over the last two decades. In fact, the Identity Theft Resource Centre (ITRC) found that between 2005 and 2020, data breach events in the US alone increased from 57 to over 1001 – and the total for the first half of 2023 now stands at 1393.

Privacy protection regulations are the primary mechanism used by European and US federal legislators to respond to these breaches. This regulatory response to privacy filters down to government agencies, policy makers, public authorities, supervisory authorities and eventually to organizations themselves – where their privacy and data protection initiatives are reflectively shaped as regulatory compliance requirements.

Let’s consider the challenges of this regulatory focused approach to privacy:

1) Speed – or more specifically, the lack of it. Legislation is often reactive and lagging behind technology by the time it’s enacted.

For example, the General Data Protection Regulation (GDPR) was in discussion for four years before being approved by the European Union (EU) in 2016 and coming into force two years later. We find ourselves now with a patchwork of regulation alongside GDPR, as GDPR struggles to address challenges that did not exist prolifically a decade ago, such as consent for IoT devices, issues with exercising the right to be deleted using LLMs, digital ethics, data governance and so on.

2) The rising cost of data breaches. The average cost of a data breach has increased 15.3% from $3.86m in 2020 to $4.45m in 2023.

3) The regulatory focus overlooks the potential for business leaders and privacy leaders to leverage privacy as both a market differentiator and a competitive edge.

Why is this important? When business and privacy leaders focus on privacy as a compliance issue, they run the risk of not understanding the true impact their privacy activities have on the extended stakeholder community, including the broader economy, the environment and the society in which they operate.

Organizations may therefore be unwittingly conducting privacy initiatives that negatively influence their market and their extended stakeholder communities (e.g., investors, regulators, supervisory authorities, policy makers, advocacy groups, NGOs, and most importantly consumers). Or worse, they may be missing opportunities to conduct activities that positively influence these communities.

A new way to think about privacy

By implementing a robust compliance and governance strategy we get to know our data better, maximize its use, reduce risk to the business, minimize retention (and thereby potential data loss), and avoid fines.

We achieve this compliance through our privacy governance programs, which typically consist of having some or all the following in place:

• A corporate structure to determine the level of privacy risk appetite acceptable for senior management. A privacy risk management framework includes a risk register
• A privacy management system containing policies and procedures
• A set of privacy roles, responsibilities, and accountability – documented and communicated
• An ongoing privacy awareness program
• A privacy compliance-monitoring framework (an ongoing assessment of privacy laws).
• A privacy-incident response plan

What if instead of taking this “governance” approach where compliance is the goal, we also focused on the longer term more sustainable influence that different privacy initiatives have on the broader economy, the environment and the society in which organizations operate?

Incorporating privacy into the environmental, social and governance (ESG) agenda

I appreciate that for many in the cyber and privacy industry the terms ESG can often seem a bit “woolly”. However, in the realm of privacy, ESG is very clear and growing in importance.

Privacy’s involvement in the governance concerns of ESG emerged slowly during the last decade. In 2012 the first measures of privacy governance appeared in ESG reporting metrics (e.g., the Global Reporting Initiative). Privacy governance was traditionally incorporated with IT governance or corporate governance frameworks, but several privacy specific frameworks and standards have been emerging more recently (e.g., ISO 27701, NIST Privacy Framework).

Privacy’s inclusion in environmental ESG concerns is a relatively new development. From an IT perspective, many organizations have been exploring how to save energy related to the building and/or operation of their data centers, offices, and server farms.

More recently however, employers have started to shape full or partial work-from-home positions as pollution-reducing and health enhancing, as it reduces the number of employees commuting every day and enables employees to have more time to exercise, study, or spend with their families.

While these are not privacy-specific, as data management technology continues to improve, it’s probable that companies will have more environmentally friendly options for their privacy practices in terms of electronic waste, particularly regarding data retention. Privacy and security teams are very much involved with organizational initiatives such as the implementation of hybrid and remote working models, and their involvement in these initiatives should be monitored, tracked and reported.

Privacy’s involvement in the social concerns of ESG are well established for well over a decade, as Corporate Social Responsibility (CSR).

Privacy-specific CSR activities are hugely important when building a privacy strategy, as CSR initiatives are associated with increased consumer trust. This is important as a 1% increase in consumer trust has been found to result in a roughly 3% increase in company value, according to the 2020 Data Ethics – The Rise of Morality in Technology report by the World Federation of Advertisers.

Certain privacy specific CSR initiatives can drive competitive advantage, improve risk management, foster innovation, enhance financial performance, build customer loyalty and attract/engage employees. These activities are also of interest to investors, as investors increasingly use organizations’ nonfinancial disclosures (such as sustainability reports) to inform their investment decisions.

Consider – by way of example – an organization that publishes guidelines for AI that are made available to the public. This socially motivated privacy activity is likely to enhance organizational reputation and increase consumer trust. Consider another example: an organization that lobbies for extended data subject rights. Such an initiative will signal benevolence and thus engender increased consumer trust. Socially motivated privacy initiatives should also be monitored and reported in corporate publications.

Conclusion

An organization that incorporates privacy initiatives into their ESG program can benefit in several ways.

First, consumers and employees can gain insight into the privacy initiatives that the organization is undertaking, and thus engender increased trust and confidence.

Second, investors consider and include these activities when evaluating the value of an organization, as do indexes such as the FTSE 4 Good index.

Third, the presentation of privacy initiatives in an ESG publication distils the work of the privacy team and its leader to a wider audience, particularly to the board, who typically read these reports.

Fourth, in some countries such reporting is mandatory and therefore such reporting of privacy initiatives is of itself a compliance activity.

Finally, society benefits from more effective privacy – as now organizational privacy compliance becomes the baseline rather than the goal.