Privacy Is Not Just a Compliance Issue, Make It Part of Your ESG Program

As data breaches have risen in frequency and magnitude in the past two decades, the primary means used by European and U.S. legislatures to respond to these breaches have been privacy protection regulations, according to HelpNetSecurity.com. These regulatory responses filter down to government agencies, policymakers, public authorities, supervisory authorities, and organizations where they have become regulatory compliance requirements.

This regulatory-focused approach to privacy, however, presents several challenges.

• Legislation is often reactive and tends to lag behind technological advancements and compliance requirements.
• The cost of data breaches is steadily rising, with the average breach costing $4.45 million in 2023.
• A regulatory focus is limiting and overlooks the potential to impact the broader economy, environment, and society.

Viewing privacy through a broader lens than solely as a compliance issue can lead to a more sustainable and positive impact. By incorporating privacy into the environmental, social, and governance (ESG) agenda, organizations can drive long-term change.

• Environmental impact. Including privacy in environmental ESG concerns is relatively new. These initiatives can contribute to environmental efforts such as reducing energy consumption and supporting remote work arrangements and should be monitored, tracked, and reported.
• Social responsibility. Privacy’s involvement in the social concerns of ESG has been evident for over a decade. In the social dimension of ESG, corporate social responsibility (CSR) activities related to privacy can enhance consumer trust, foster innovation, and improve financial performance.
• Governance concerns. Traditionally, privacy governance was linked with IT or corporate governance frameworks, but recently privacy-specific frameworks and standards, such as ISO 27701 and the NIST Privacy Framework, have emerged.

Addressing data breaches and privacy concerns through regulations alone is insufficient. A broader approach that integrates privacy into the ESG agenda allows organizations to harness the full potential of privacy initiatives, benefiting stakeholders, investors, and society as a whole.