How ESG Can Drive Your Privacy Program

Wooden cubes with the letter from the ESG word. ESG - short for environmental social governance

ESG programs are the future of corporate social responsibility. But they’re also the future of consumer trust—and sustainable data privacy practices. 

ESG might seem out of left field for privacy philosophy, but its foundations are a natural pairing for best privacy practices with an emphasis on sustainable strategies, business relationships, and transparent, trust-building practices

ESG models guide investment decisions and the development of operational processes using three categories:

  • E stands for Environment

Environmental criteria address how a company uses natural resources, how operations affect the environment (directly and indirectly), and how they can develop more sustainable processes.

  • S stands for Social

Social criteria center on how a company interacts with its vendors, employees, customers, and community on social issues like gender and racial equality, community health, social justice, etc.

  • G stands for Governance

Governance criteria are used to ensure that policy development/implementation and decision-making processes are transparent, ethical, and in line with company values.

In 2020, nearly 88% of publicly traded companies and 67% of private companies had ESG initiatives in place. In Q4 2020, more than 25% of S&P 500 companies cited ESG programs in their earnings calls, a 63% increase from even Q3 of the same year.

The reason for the rapid expansion of ESG programs is easy to find—76% of consumers have said they will stop buying from companies that do not treat their employees, community, or environmental resources well. And it’s not just about policies—it’s about accountability. In a recent Price Waterhouse Cooper study, 50% of consumers say accountability for mistakes and missteps can build greater trust in companies.

Until recently, ESG frameworks were primarily used to guide investment decisions, but they also provide an excellent blueprint for creating, implementing, and maintaining robust privacy programs.

The modern privacy landscape

Until 2016, the collection and use of consumer data online was inconsistently regulated across the world—while some countries in the EU and Canada had regulations in place, they weren’t necessarily ready to handle the flood of data brought on by social media, e-commerce, and other online activities. Companies could track users and mine their online behavior for data insights without ever getting permission to do so.

This unchecked accumulation of consumers’ sensitive personal information and reckless storage and sharing practices made bloated databases a prime target for hackers and other bad actors.

While privacy advocates had been sounding the alarm for a long time, a series of high-profile breaches of both major international corporations and top social media platforms finally gave them enough momentum to successfully lobby for significant regulatory action.

And that’s how the European Union’s General Data Protection Regulation (GDPR) was born. 

Although privacy laws in the EU existed, they didn’t necessarily measure up to the privacy landscape. Enacted in 2016 and made enforceable in 2018, the GDPR established robust, modern, and consistent privacy standards for any company that operated in or collected information from residents of the EU. Other governments quickly followed suit. 

The United States doesn’t have a federal data privacy law, but California, Virginia, Colorado, Utah, and Connecticut have passed consumer privacy laws since 2018. Seven other states (Michigan, Ohio, Pennsylvania, New York, Massachusetts, New Jersey, and North Carolina) currently have bills in committee.

More regulatory control, not less, is clearly the trend for the foreseeable future. And making privacy part of your ESG program is the best way to turn what will likely eventually be a compliance obligation into a value-add for your customers.

Why should we add privacy to our ESG framework?

While some people (and some companies) view ESG as just another marketing ploy, it can be a powerful tool in creating a company culture that prioritizes ethical, customer-focused operations. 

That’s a perfect model for building a data management program.

Because consumer data impacts everything from product development to customer service to marketing, a privacy function will only succeed if it’s supported by a cross-functional commitment at every working level. An ESG framework can help establish data privacy best practices as part of your culture.

But the best thing about combining your privacy and ESG efforts is the return on investment you can expect. Need some examples?

Creating a mutually beneficial relationship

A strong ESG program and effective data management practices are kind of a chicken-and-egg situation.

ESG funds and executive support can make the implementation of privacy best practices more effective, but well-implemented privacy programs can prove your ESG concepts and bolster support for other initiatives.

Before you can understand the benefits of working on these two issues simultaneously, it’s essential to know the fundamental principles of privacy best practices.

  • Transparency and accountability: Companies should tell customers exactly what data they’re collecting and what they’re doing with it.
  • Data minimization: Companies should collect only the minimum amount of data needed for operations.
  • Consumer control: Consumers should be able to opt out of having their information collected, processed, used for marketing purposes, or sold. They should also be able to delete or correct their data if desired.
  • Security: Companies should provide reasonable security measures, both technical and process-based, to keep data safe from unauthorized access.
  • Education: Companies should educate their employees and their users on their rights and responsibilities.

Each of these principles correlates to each of the three ESG criteria. Tying your efforts together can make them exponentially more effective.

Environmental criteria

When it comes to the “E” in ESG, the most natural privacy partner is data minimization. Data management requires significant amounts of energy and equipment, even in a predominantly paperless world. Collecting less data allows you to reduce, sometimes significantly, the energy output and carbon emissions needed to process, protect, and store it.

Proper data management practices require servers and processors, and anyone who remembers the first iPhone knows how quickly hardware becomes obsolete. That obsolete hardware, called Electrical and Electronic Equipment Waste or e-waste, is not biodegradable, is full of toxic materials like mercury and BFR plastics, and comprises 70% of the toxic waste in landfills. Minimizing your data collection cuts down the amount of e-waste your company produces.

Social

The buzziest of the ESG criteria, social responsibility is a great fit with privacy’s focus on individual rights and control. This is especially true as data privacy is increasingly recognized as a basic human right. Managing your customers’ sensitive personal data responsibly means ensuring identifying information like race, gender, medical history, sexual orientation, religious or political affiliations, union membership, creditworthiness, etc. doesn’t affect automated decision-making processes in inappropriate ways.

Transparent, consumer-friendly data management practices will not only help you achieve compliance with applicable laws but will also establish you as a leader in the information economy.

Governance

Governance may not be as sexy as environmental and social justice causes (only 14% of US consumers think it’s the most important factor to a business’s reputation), but it is the most important key to a resilient, effective privacy program. 

Poor data management practices come at a very steep price, and it’s just getting steeper. Consider the following statistics from IBM’s 2021 Cost of a Data Breach Report:

  • The average cost of a data breach increased 10% between 2020 and 2021 to a global average of $4.24M per incident
  • The average cost for personally identifiable information (PII) is $180 per record
  • The average time needed to detect and contain a breach has increased to 287 days

But here’s the statistic you really need to know: the cost of a breach at companies with automated and/or fully deployed security programs and processes is 80% lower than at companies without these systems in place.

Almost all privacy best practices are based on solid governance principles, including least access privilege, automated redundancies for update and patch installations, cross-functional management of all related processes, and continuing employee education.

Like PB&J

ESG initiatives and data privacy management programs naturally support and enhance each other. Working on both simultaneously can streamline your company’s efforts to be a customer-friendly, ethical, and modern player in the information economy.

If you’re ready to incorporate privacy into your ESG program, the experts at Red Clover Advisors can help. We have extensive experience working with our clients to develop practical privacy solutions that maximize your operational efficiency while improving your ability to protect your customer data. Schedule your consultation today to learn more.