The role of privacy in ESG explained - sponsored by Iron Mountain

Privacy and data protection is one of the main business risks and yet its linkage to ESG or environmental, social and governance topics, is still a novel concept and in its infancy. It is time to raise awareness on this issue and elevate privacy in sustainability reporting. The aim of this white paper is to explore the role that data privacy plays in ESG, as well as highlights the challenges and opportunities.

Every company must address this issue

The widespread use of personal data means that data privacy has become a material ESG issue.

The more data a company processes the more this is likely to affect their ESG rating.

There is no doubt that poor privacy is the result of poor environmental, societal and governance practices. At the same time, good privacy and data protection matters is likely to positively impact ESG scores and empower the business. The time has come for all privacy professionals to raise the issue of ESG and data privacy, and in turn help drive change through our organisations, a change for good and all our future generations.

Julia Bonder-Le Berre - Co-chairperson & Head of Global Privacy, Iron Mountain
Graham Thomas - Co-chairperson & Privacy Director, KPMG

PICCASO: The “why” of privacy culture practice and ESG

On behalf of PICCASO Privacy Lab, we are delighted to present to you the following insights on the subject of ESG.

PICCASO stands for Privacy, Infosec, Culture, Change & Awareness Societal Organisation. As the name suggests we are a special interest group for professionals and organisations that stand for Privacy, Data Protection and Information Security. PICCASO operates as a not-for-profit entity, steered by dedicated volunteers and industry-leading figures who serve as the PICCASO Advisory Board. Our mission revolves around instilling the ‘why’ of privacy culture practice and embedding best practices into an organisation’s core DNA for enhanced privacy compliance and data strategy.

With over 35 meetings and a collective effort spanning 80 hours, our diverse team of 19 members from various organisations and industries have successfully prepared a comprehensive whitepaper, which is now ready for your review. To ensure a well-structured and collaborative approach, our team members worked in smaller groups, engaging in numerous focused discussions to lay the foundation. On a monthly basis, we convened as a larger group to ensure alignment and steady progress. Throughout this journey, our dedicated chairs provided invaluable feedback, ensuring that our work embodied the highest standards of excellence. To put the finishing touches on our whitepaper, our skilled graphic designer ensured that it is publication-ready for widespread distribution.

Why privacy is one of the next key pillars in ESG?

More regulation, more data, more issues

Mounting geopolitical and societal issues, alongside the rapid advent of data-driven disinformation, such as AI deepfakes, the Cambridge Analytica scandal, and the growth of ransomware attacks, have forced governments to act. Now 137 out of 194 countries have legislation in place, or in draft, to secure the protection of data and ensure privacy, according to UNCTAD 1 . Regulations such as the GDPR in the EU, The Data Protection Act in the UK, CCPA in California/U.S., LGPD in Brazil, PIPL in China and recently India’s DPDPA are the most well-known.

At the same time, the exponential growth of data usage by businesses has a significant impact, on ESG, particularly the use of generative AI. For instance, the training of the generative AI model ChatGPT-3 used 3.5 million litres of water, according to one study2. That is a massive amount, especially considering that the model was trained using efficient U.S. data centres. If this AI model was trained in less efficient Asian data centres, water usage would rise to five million litres. Unless we develop AI systems to better account for its environmental impact, its energy consumption could be greater than that of the entire human workforce by 2025, according to Gartner.

Evolving digital landscape is driving change

Most businesses now have data at the core of their operations. It is considered a key asset. How they use and protect that data is key to the ESG agenda, as well as customer, employee and societal trust. Data privacy functions also play a key role in ensuring ESG responsibility as they have a remit to ensure that their businesses comply with strong data protection regulations such as GDPR, CCPA, LGPD, PIPL, which positively impact ESG. At the same time, fast developing AI, particularly generative AI and data ethics have a profound effect on data privacy, protection, storage and ultimately ESG. These issues will grow as more organisations digitally transform.

Actions on privacy positively impact ESG

By tackling privacy and data protection issues, as well as adhering to privacy principles, organisations can have a positive impact on ESG and improve their ratings. This can be achieved by focusing on data minimisation and retention, handling data subject requests properly, implementing privacy by design, boosting transparency, understanding data hosting and technology use, as well as implementing training and awareness programmes. However, this is just the beginning. Organisations are also increasingly looking at data hygiene, which is driven by how well a business looks after its data. In the future, this could be aligned more closely to ESG ratings.

Pressure mounting on ESG disclosures

ESG considerations are an integral part of corporate strategy and reporting for many organisations. There is now a greater expectation from investors, consumers and employees for organisations to be more transparent, proactive and accountable for ESG. This is enhanced by the adoption of standards for sustainability disclosures, such as the EU’s Corporate Sustainability Reporting Directive (CSRD).

Download to learn more.