The Intersection of Privacy and Corporate Sustainability & ESG: What Every Business Should Know

Authors: Maria Aholainen and Riikka Kuha

In this blog, we will delve into the relationship between privacy and corporate sustainability and ESG, and the rapidly developing regulatory landscape and stakeholder expectations around them.

For many, the term ESG has long been predominantly associated with environmental impacts such as greenhouse gas emissions and other risks arising from climate change. While privacy and data protection may not initially seem like top priorities from an ESG perspective, it is inevitable that these issues are increasingly coming under the ESG spotlight.

Why is privacy important in this context?

1. Firstly. Data is considered a key asset, and privacy plays a crucial role in assessing its ethical use. Mismanagement of privacy can significantly harm individuals' privacy rights.

2. Secondly. With growing awareness among stakeholders—such as customers, end-users, employees, and investors—privacy expectations are rising. Managing privacy properly can enhance stakeholder trust and company’s ESG ratings, whereas mismanagement can harm these scores and, consequently, adversely impact reputation, funding, and company valuation.

3. Thirdly. ESG reporting is heavily based on data. While the data is often aggregated or non-personal, it can still be derived from personal data. Such personal data must be processed in accordance with the General Data Protection Regulation (the “GDPR”) and applicable national laws.

What is meant by corporate sustainability and ESG?

Corporate sustainability and ESG (Environmental, Social, and Governance) are closely related concepts both aimed at promoting responsible business practices that consider environmental, social, and governance factors. While they are often used interchangeably, they are not identical but have distinct focuses and applications.

Corporate sustainability can be understood as a holistic umbrella concept encompassing a range of responsible business practices aiming to meet the economic, social, and environmental needs of the present without compromising the ability of future generations to meet their own needs, and preferably benefiting both the company and the planet as well as the society in which it operates.

ESG, on the other hand, can be considered a subset of corporate sustainability. It refers to a set of criteria used to evaluate a company's operations and performance beyond traditional financial measures, namely in the environmental, social, and governance areas. ESG serves as a framework for measuring and reporting on these metrics, providing benchmarks to assess and compare companies’ performance. Investors and other stakeholders often rely on ESG metrics to assess and compare the sustainability and ethical impact of their investments.

Evolution of corporate sustainability from soft law frameworks to mandatory legislation and strategic imperative

For a long time, corporate sustainability was largely based on voluntary soft-law frameworks such as the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct. However, the first half of the 2020s has brought about an unprecedented number of new laws mandating companies to adopt more sustainable practices and take accountability for their impacts on the planet, people, and societies. The EU legislator has been at the forefront of this development with the European Green Deal policy covering a host of game-changing pieces of legislation such as the Corporate Sustainability Reporting Directive (“CSRD”) mandating large companies and listed companies to publish regular reports on the social and environmental risks they face, and on how their activities impact people and the environment, and the Corporate Sustainability Due Diligence Directive (“CSDDD”/”CS3D”) obligating very large companies to identify and address adverse human rights and environmental impacts of their operations and global value chains (see our blogpost on CSDDD (in Finnish) here).

With the so-called hardening of soft law on corporate sustainable practices to mandatory legislation—often accompanied by hefty sanctions for non-compliance—it is no surprise that corporate sustainability and ESG have rapidly risen as a board-level concern, much like the GDPR a few years earlier. In parallel to the regulatory push, other stakeholders—from investors and financiers to employees, customers, and NGOs—are increasingly looking beyond the product or service to the ethos and principles of the company providing them and the impact it has on its surroundings while doing so.

Considering the above, it can well be argued that integrating sustainability into a company's strategy is essential for long-term business continuity.

How does privacy fit within corporate sustainability and ESG frameworks?

Right to privacy is one of the basic human rights enshrined in international human rights treaties such as the UN International Bill of Human Rights and the European Convention on Human Rights. Article 8 of the EU Charter of Fundamental Rights specifically addresses the protection of personal data, ensuring that everyone has the right to the protection of personal data concerning them.

The GDPR brings the fundamental right to privacy into a detailed regulatory regime. In addition to the GDPR, the EU legislator has in recent years approved several significant regulations affecting the privacy landscape. The EU’s Data Strategy, introduced by the European Commission in 2020, has paved the way for new ambitious regulations on data access and use, including the Data Act, the Artificial Intelligence Act, the Digital Markets Act and the Digital Services Act, among others. When personal data is concerned, the new data regulations are built on existing privacy and data governance regulations, such as the GDPR, forcing companies to apply these regulations in parallel and navigate the rapidly developing regulatory landscape.

Companies’ practices in collecting and processing personal data and ensuring data security can significantly impact the right to privacy and the protection of personal data, especially if not managed appropriately. Respecting the privacy of employees, customers, end-users, and other stakeholders is a key component of corporate sustainability, particularly within the ESG framework.

Next, we will explore how privacy fits within the “E”, “S” and “G” pillars.

Environment

The “Environment” pillar of the ESG framework focuses on, e.g., how a company uses natural resources and the carbon footprint it leaves behind. Today, companies are collecting a vast amount of personal and non-personal data and deploying new technologies, such as artificial intelligence (“AI”), which heavily rely on data. The more data that is collected, the more storage is needed to store that data. Storing excessive amounts of data requires additional physical server space, hard drives, and other electronics to store information, leading to often hazardous electronic waste and increased energy consumption. Similarly, AI technologies consume significant amounts of energy and water, and can contribute to the carbon footprint and water usage of companies, depending on the scale of deployment and the energy sources used.

Implementing privacy principles such as ‘data minimization’ and ‘storage limitation’, which call for only collecting necessary data and deleting unnecessary data, can help companies reduce their data footprint, which in turn is likely to translate to a reduced environmental footprint.

Social

From the human rights lens, privacy naturally fits within the “Social” pillar of the ESG framework. For example, the European Sustainability Reporting Standards (ESRS), which provide detailed guidelines and reporting requirements for sustainability reporting under the CSRD, address impacts on privacy of the reporting company’s own workers, value chain workers, as well as consumers and end-users.

Privacy considerations are also ever more paramount when organisations deploy new technologies, such as AI.

• Let’s take an example—an organisation is deploying a new recruitment system using artificial intelligence to assess and select most suitable candidates. The deployment of AI in this context triggers privacy risks, for example, training data can have hidden biases based on characteristics like gender, age, and ethnicity, which should be assessed and mitigated beforehand. It is crucial to understand and detect that the use of new technology, like the AI, can trigger privacy concerns, which again turn into ESG challenges. As investors and other stakeholders recognise the potential risks and impact of mishandling personal data, privacy is bound to become an important factor in the company’s overall ESG assessment.

Governance

Moreover, companies’ privacy practices can also be considered in the context of the “Governance” pillar of ESG, primarily because of regulatory compliance requirements (such as adherence to the GDPR and other privacy laws) and broader risk management (such as protection from the risk of data breaches and cyber threats) are core aspects of corporate governance.

• Let’s take an example—a company’s server has been compromised and customers’ personal data have been uploaded to the dark web. There is a personal data breach under the GDPR, and it could potentially (depending on the type of personal data) lead to identity theft or fraud or cause financial loss or emotional distress to individuals concerned. For the company, the personal data breach may lead to a financial and reputational harm and loss of customer trust. At worst, the data breach can bankrupt the company, if it turns out that privacy and security of personal data were neglected, as in the case of Psychotherapy Centre Vastaamo in Finland. From the ESG perspective, the data breach may impact the organisation’s ESG rating and adversely affect a company’s brand, partnerships, funding, and overall valuation.

Further, the GDPR has had a profound impact on companies’ data governance, i.e. on the way companies manage their data, both personal and non-personal data. The GDPR has forced companies to improve data governance processes, minimising the risk of non-compliance. The data governance supports overall compliance efforts but is also beneficial for ESG reporting, which is highly dependent on accurate and reliable data.

How can privacy contribute to corporate sustainability and ESG?

Considering today’s ever-tightening legal framework and heightened stakeholder expectations, organisations should proactively signal their commitment to privacy and integrate it in their ESG and sustainability strategy. Also, established privacy programs should include policies that are environmentally sound, socially responsible, and assist with compliance.

An established privacy programme, where there is a clear allocation of roles and responsibilities, supports the privacy and ESG compliance. Further, the basic elements of a privacy programme, like governance, transparency, training and awareness, and key procedures (risk management, data breach procedure, and procedure for exercising data subject rights) contribute to companies’ ESG scores and stakeholder trust more generally.

While it may not be easy to demonstrate and measure the maturity level of a privacy programme, several measures may be used for this purpose: dedicated (senior) privacy roles, quantitative measures such as KPIs, voluntary certifications such as ISO certifications, adoption of binding corporate rules (BCR), privacy audits by third parties, privacy awareness campaigns, as well as privacy by design functionalities allowing users to have greater control over their data and exercise their rights. These measures demonstrate compliance and foster trust among stakeholders, while also highlighting corporate sustainability and accountability on a broader scale.

While it may not be easy to demonstrate and measure the maturity level of a privacy programme, several measures may be used for this purpose: dedicated (senior) privacy roles, quantitative measures such as KPIs, voluntary certifications such as ISO certifications, adoption of binding corporate rules (BCR), privacy audits by third parties, privacy awareness campaigns, as well as privacy by design functionalities allowing users to have greater control over their data and exercise their rights. These measures demonstrate compliance and foster trust among stakeholders, while also highlighting corporate sustainability and accountability on a broader scale.