Increasingly, organizations are including privacy and data governance metrics and disclosure as part of their environmental, social and governance (ESG) reporting framework. With the adoption of Quebec’s Bill-64, renewed calls for the federal government to prioritize reform of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the prevalence of data breaches, there is little doubt that privacy remains a forefront issue for most organizations.
Incorporating privacy and data management into an ESG reporting framework can move an organization beyond the traditional “regulatory compliance” approach to data by identifying areas throughout the data cycle that create risks, even when organizations are fully compliant with applicable legislation. Tailoring ESG this way provides an organization the ability to further explain to stakeholders (such as its customers, shareholders, employees, supply chain partners and regulators) how it holistically identifies and manages privacy and data related risks. Linking an organization’s privacy and data governance policies to broader ESG considerations also better positions an organization to proactively respond to evolving regulatory developments and to effectively identify data-related growth opportunities. Most importantly, including such privacy and data-related disclosure increases stakeholder transparency and helps build long-lasting and sustainable stakeholder trust.
In this bulletin, we discuss how privacy and data governance practices align with ESG considerations and ways in which organizations can integrate them into their ESG frameworks.
WAYS IN WHICH PRIVACY AND DATA GOVERNANCE ALIGN WITH ESG
Data management policies and protocols can have an impact on an organization’s environmental outcomes. The collection, storage and processing of data requires energy and physical servers - the more data that is collected, processed and stored, the more energy, equipment and server space is required. Excess collection of data can therefore have a negative impact on environmental factors such as energy efficiency, carbon emissions, climate change and electronic waste management.
Companies that collect data have a social responsibility to protect information and respect the privacy from those whom they collect and process data. Moreover, technology driven decisions through algorithmic and automated decision making in areas related to health and medicine, employment, creditworthiness and criminal justice raise important ethical considerations, particularly around potential biases and discrimination. Recognition of privacy as a social value and the incorporation of data ethics can heighten the sensitivity with which an organization treats data and improves transparency, leading to better data management and risk mitigation. Better data management policies can improve a company’s social reputation, while also protecting against financial and reputational risk that may arise as a result of a data breach.
The governance factor weighs heavily in incorporating privacy and data governance into an ESG framework given the nature of privacy regulation. Organizations that deal with personal information are expected to maintain robust information security policies that protect the confidentiality, integrity and availability of information, including from unauthorized access and disclosure. Increasingly, privacy regulators have focused on the issue of demonstrable accountability, which requires organizations to not only have the requisite privacy and data protection policies in place, but to take steps to actively monitor and audit their privacy and data management practices to identify and address issues in real time. In addition, to manage issues related to data ownership and use, including via contract, organizations need to incorporate practices that safeguard other forms of data such as confidential and/or proprietary information.
Non-compliance with regulatory requirements poses significant financial, legal and reputational risk. As legislators move towards providing individuals with more control over their data, they are empowering regulators with significant enforcement powers to compel compliance with regulatory requirements. For example, Quebec's Bill-64 grants increased powers to the Commission d’accès à l’information du Québec, which would be able to impose monetary administrative penalties of up to C$10-million on non-compliant private enterprises. Additionally, under Bill 64, private sector organizations could be subject to penal fines of up to C$25-million or, if greater, an amount corresponding to four per cent of the enterprise’s worldwide turnover for the preceding fiscal year, for failure to comply with Quebec’s Act respecting the protection of personal information in the private sector.
INTEGRATING PRIVACY AND DATA GOVERNANCE INTO YOUR ESG FRAMEWORK
1. Establish a forward-looking privacy and data governance framework
There is no one size fits all approach to an organizational privacy and data governance framework. To gain a better appreciation of an organization's needs, we recommend not only considering the applicable legislation but also relevant industry standards and frameworks (e.g., the National Institute of Standards and Technology’s Privacy Framework) to undertake an assessment of how an organization’s systems, products and services may create privacy and data governance risk for the organization and for the stakeholders from whom it collects this information. Alignment with these industry standards allows organizations to concretely and transparently report that their internal data management programs meet specific quantitative and qualitative control thresholds.
Comprehensive assessments should be undertaken considering the entire data-lifecycle from collection through to retention and destruction. Understanding organizational risk factors associated with data collection, processing and management is the first step to developing effective solutions to manage such risks. What framework an organization adopts should be made on a case-by-case basis.
Organizations should use these assessments to design policies and practices that address specific technical, administrative and physical risks. Policies should include monitoring processes that continually identify, manage and mitigate risk, and incorporate regular inspections and audits of privacy, data management and cybersecurity policies and systems (to demonstrate accountability). Policies should not only address risk within an organization but do so throughout an organization’s value chain including with business partners and service providers (which present additional vectors for privacy, data ownership and cybersecurity threats).
2. Develop privacy and data governance metrics
Organizations should develop privacy and data governance metrics that monitor data-related ESG goals’ progress over time. By making privacy and data governance an appraisable component within an ESG framework, an organization’s management team and board will have more meaningful insight into data-related issues and can meaningfully hold business units and programs to account.
While the type of metrics disclosed will depend on the organization’s risk profile, internal needs and industry, some metrics that could be disclosed include information security certifications, descriptions of the company’s approach to data analytics and artificial intelligence, prevalence of privacy and cyber training, data breach statistics, resource investments, etc. Undertaking a comprehensive assessment of an organization’s risk factors, and the likelihood of any given issue arising, can help an organization develop and monitor tailored data-risk metrics. Having clear privacy and data governance related ESG goals can further provide a framework for the organization to integrate privacy and data governance strategies across the organization while also providing tangible metrics for stakeholders to hold the organization accountable to its commitments.
3. Adopt privacy and cybersecurity by design
Organizations should integrate privacy and cybersecurity by design into the design, operation and management of their systems and business practices. At its core, a privacy and cybersecurity by design-based approach requires organizations to integrate privacy and data protection considerations and features into the design, operation and management of any given system, business process or product design that may collect or process personal information.
Some jurisdictions have already moved to include “privacy by design" as a regulatory requirement. For example, the European Union’s General Data Protection Regulation (GDPR) requires organizations to take “appropriate technical and organizational measures” for implementing data protection principles in an effective manner. Starting September 2023, Quebec’s Bill-64 will require private sector enterprises that collect personal information when offering a technological product or service to provide the highest level of confidentiality by default, without any intervention by the person concerned. Privacy by design has also been incorporated in an ISO standard (ISO 31700, Consumer Protection: Privacy by Design for Consumer Goods and Services).
4. Creating a culture of accountability
Current Canadian privacy laws already require organizations to adhere to the principle of “accountability” in several ways, including appointing a privacy officer and implementing a privacy management program. A comprehensive privacy management program not only provides an effective way for organizations to satisfy regulators and assure themselves that they are compliant with applicable data protection laws, but it also helps to foster a culture of privacy throughout an organization.
To ensure that any internal privacy and data governance structure is effective and fosters such a privacy-respectful culture, organizations should:
Make sure there is buy-in from senior management and the board. This means senior management and the board should: be regularly appraised of information security and data governance issues; establish oversight mechanisms (e.g., either through the traditional risk committees or by creating standalone data governance committees); and routinely communicate with all employees/stakeholders on data related initiatives;
Appoint and empower their privacy/data officer and/or privacy/data office that is responsible for the privacy and data management program, by providing them with sufficient resources and, if such an officer is not a C-level executive, to provide routine access to senior management and the board; and
Routinely undertake internal audits of the organization’s data collection, sharing and processing practices and controls, as well as regularly inspecting vendors’ and business partners’ data protection and management to identify, manage and mitigate risk.
5. Adopt data minimization strategies
Data minimization refers to strategies to limit the collection, use and disclosure of information necessary for the provision of a product or service. Adopting a data minimization strategy will align an organization’s policies with regulatory requirements such as PIPEDA and the GDPR, which require organizations to limit the collection, use and disclosure of information to that which is necessary to provide a product or service. Data minimization can improve social and governance factors by limiting the exposure of personal information in the event of a cyber breach.
Data minimization can also limit an organization’s negative environmental impact by reducing the amount of energy used for servers to process and store data, and decrease the amount of e-waste generated by disposed hardware.
6. Consider data ethics and algorithmic transparency
Organizations that employ technology driven decision making or data analytics should consider incorporating data ethics controls (e.g., by adding data ethics considerations into a privacy impact assessment) as part of their overall data-processing strategy. Additionally, organizations should embed algorithmic transparency and data ethics related disclosure in their internal and external privacy and data governance policies. Transparency via additional disclosures around data ethics will help keep organizations accountable and improve confidence among customers and other stakeholders that their data is being collected, stored and processed in an ethical manner. Doing so also has the effect of boosting an organization’s ESG ranking since it demonstrates that the organization is taking into consideration the social implications of data use in new or higher-risk data processing scenarios, such as artificial intelligence and automated decision making.
The recommendations outlined above provide potential actions an organization can take to proactively integrate privacy and data governance considerations into its ESG framework. Doing so will help move an organization beyond a traditional regulatory compliance approach to data to one that places privacy and data security at the forefront of an organization’s overall risk strategy, with the potential to deliver improved sustainability and long-term stakeholder trust.
For more information, please contact:
Ronak Shah 416-863-2186
or any other member of our ESG or Privacy & Data Protection groups.