Increasingly, organizations are including privacy and data governance metrics and disclosure as part of their environmental, social and governance (ESG) reporting framework. With the adoption of Quebec’s Bill-64, renewed calls for the federal government to prioritize reform of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the prevalence of data breaches, there is little doubt that privacy remains a forefront issue for most organizations.
Incorporating privacy and data management into an ESG reporting framework can move an organization beyond the traditional “regulatory compliance” approach to data by identifying areas throughout the data cycle that create risks, even when organizations are fully compliant with applicable legislation. Tailoring ESG this way provides an organization the ability to further explain to stakeholders (such as its customers, shareholders, employees, supply chain partners and regulators) how it holistically identifies and manages privacy and data related risks. Linking an organization’s privacy and data governance policies to broader ESG considerations also better positions an organization to proactively respond to evolving regulatory developments and to effectively identify data-related growth opportunities. Most importantly, including such privacy and data-related disclosure increases stakeholder transparency and helps build long-lasting and sustainable stakeholder trust.
In this bulletin, we discuss how privacy and data governance practices align with ESG considerations and ways in which organizations can integrate them into their ESG frameworks.