6 minute read 3 Feb. 2022
ey-men-discussing-network-machines

Connect privacy with ESG to drive broader business success

Authors
Roobi Alam

EY Canada Privacy Leader

Roobi is a privacy professional who is determined to help organizations and individuals realize why privacy is power.

Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

6 minute read 3 Feb. 2022

Aligning privacy to your business ESG strategy is key to honing a competitive edge in an increasingly digitized world.

In brief
  • Businesses must connect privacy with their environmental, social and governance strategy to hone a competitive edge in a digital world.
  • Positioning privacy as an ESG priority takes championing it as a human right and governing it as central to organizational purpose.
  • Aligning privacy approach to your decarbonization efforts is essential to drive measurable progress against ESG priorities.

Changing customer dynamics are creating a unique opportunity for organizations to set themselves apart. Entrench privacy within your environmental, social and governance (ESG) strategy now to hone a competitive edge capable of generating brand equity that’s grounded in trust and bottom-line results.

How so? The world’s reliance on virtual experiences is driving even more data sharing, which exposes businesses to costly privacy risks but also presents an equal opportunity for leadership. Due to the accelerated digitization pushed by COVID-19, consumers have begun to define value differently, paying greater attention to both privacy actions and ESG targets. Stakeholders want to know how you’re addressing these areas, and they’re making decisions about your organization accordingly.

Seizing this moment to address that dynamic can unlock financial and non-financial benefits in a market where historic value drivers have changed and competition is fierce.

How are privacy and ESG material?

While Canadian organizations are investing in cybersecurity, EY research shows their spending falls far short of what’s needed to effectively protect the business, people and brand. That gap could widen in today’s context. Even as the pandemic recedes, working, learning, shopping and socializing will take up more permanent digital space in non-traditional locations — most often our homes. That means organizations face the added challenge of safeguarding data that now lives in a mostly remote world.

With one third of Canadian businesses indicating that

70%

of data breaches result from employee weakness, the increasingly virtual nature of our lives is raising privacy protection alarm bells.

At the same time, leading regulatory bodies are underscoring privacy and data security as material ESG topics. From the Sustainability Accounting Standards Board (SASB) to ESG ratings agencies like Morgan Stanley Capital International’s Emerging Markets Index and beyond, many are redefining privacy and data security in the ESG context. From here on out, they’ll be evaluating companies against a range of evolving metrics. This includes everything from the amount of personal data a business collects to the likelihood of potential data breaches.

That shift is happening in tandem with a growing consumer emphasis on transparency, accountability and trust — which increasingly overlap with privacy. Generation Z — the largest generational cohort in history — is positioned to shape the next normal. These 18- to 23-year-olds expect organizations to treat sustainability meaningfully, address social and economic inequalities deliberately and accomplish both at the speed of societal change.

Because ESG frameworks are geared to demonstrate organizational action against those kinds of priorities, embedding privacy here can help businesses quantify efforts clearly and consistently. Showing stakeholders you understand these dynamics well enough to prioritize privacy as part of your ESG framework sends a clear signal: we reinforce privacy with the focus, rigour and reporting it deserves. That can help you stand out. 

How can you act now to position privacy as an ESG priority? 

1. Champion privacy as a human right and address it accordingly. 

In this year’s survey results, security maintained its title as the attribute personal banking customers care most about when they consider sharing data. Regardless of how we analyzed our survey results, personal banking clients overwhelmingly indicated that security is top of mind for them, and that FIs must deliver on this promise. We expect consumers to continue placing a high degree of importance on security, as value propositions based on enhanced data sharing continue to emerge.

Privacy is non-negotiable. By 1950, the United Nations had already enshrined privacy as a fundamental human right. Even so, as technology evolves, new privacy concerns continue to emerge. 

Today, EY research shows

54%

say COVID-19 has made them even more aware of the personal data they share. That’s exactly why it must be addressed clearly and deliberately in the social pillar of your ESG framework.

Outlining how you’re respecting privacy rights across your entire value chain — including third parties you work with — measuring progress and improving accordingly speaks loudly to the social impact your organization makes. Entrenching privacy in the framework tells stakeholders you’re empowering them with real choices about their data.

To do so effectively, ask questions like:

  • Do we have a firm grasp on the materiality of privacy for our industry broadly and our business specifically?
  • Do we have transparent goals and metrics to support our progress
  • How do we reflect the ways in which we’re going beyond the fair, legal minimum requirements to cultivate a safer user experience for our customers and key stakeholders?
  • Are we empowering customers, communities, employees and any other relevant stakeholders with enough control over their own data and activities?
2. Govern privacy like it’s central to your organizational purpose. 

Stakeholders have come to absolutely expect a purpose beyond profit. They want to know a business proposes solutions to economic, environmental and social issues. 

With more than

40%

of Canadian businesses saying they have never been as concerned as they are now about their ability to manage cyber threats, it’s fair to say privacy and effective privacy governance are burning issues for organizations and critical infrastructures that underpin economic stability.

Purpose, governance and accountability are now intricately connected in World Economic Forum metrics designed to measure a company’s ability to create long-term value. To be sure, compliance matters. As Canada’s Bill C-11, the European Union’s General Data Protection Regulation (GDPR) and other legislation continue to set precedents and generate data points, regulators will have new ways of comparing how a given organization is addressing privacy. But as consumers, markets and investors define long-term value creation in evolving ways, organizations must future-proof beyond fragmented legislation. Failing to comply could cost your organization millions in fees and fines. But failing to live up to changing customer expectations around privacy could take you out of the game altogether.

To do so effectively, ask questions like:

  • How often are we revisiting our privacy governance framework?
  • Does our board have the necessary privacy knowledge and can it play a more active role in privacy governance?
  • How will the staged return to physical workspaces impact our privacy controls if some of our workforce continues to work from home?
  • Do we have the right governance tools in place to effectively demonstrate and qualify the ways in which cybersecurity and privacy tie into our corporate values and organizational purpose? 
3. Align your approach to privacy with your energy decarbonization efforts. 

Data processing drives up energy consumption. As emerging technologies like blockchain or non-fungible tokens such as Bitcoin become more mainstream, the energy required to support privacy tied to these areas could skyrocket — negatively impacting decarbonization. That’s compounded by our ongoing shift to an increasingly paperless world, which is pushing ever more personal data — and privacy risk — online. Embracing the RSIO (reduce, switch, innovate, offset) framework for decarbonization can help embed privacy in your broader efforts to dial down energy consumption across the business. That could take shape in many ways — for example, innovating to minimize data collection and storage using sustainable solutions that require less computing power. 

To do so effectively, ask questions like:

  • How are we decarbonizing our energy profile?
  • Which aspects of our privacy strategy have the greatest potential to reduce, switch, innovate or offset energy use?
  • Using the RSIO framework as a guide, where can we upgrade our digital privacy protection systems to draw less energy overall?
  • What targets can we set around data minimization and deletion to show a well-developed and agile data-subject request process with an upside for the environment?

What’s the bottom line? 

Privacy risks are evolving just as quickly as customer expectations and regulatory legislation. Treating privacy as a critical lever to drive measurable progress against ESG priorities tells stakeholders you value their privacy as much as they do. That kind of statement can set you apart in a post-pandemic market where new value drivers are already transforming your bottom- and top-line results. Govern it with the same rigour you’d apply to any other requirement to generate that most critical tenet of long-term value: trust.

Summary

Connecting privacy to your ESG strategy is essential in an increasingly digitized world. You can better position privacy as an ESG priority and prepare your business for the future by taking steps such as championing it as a human right, governing it as central to your organizational purpose and aligning it to your decarbonization efforts.

About this article

Authors
Roobi Alam

EY Canada Privacy Leader

Roobi is a privacy professional who is determined to help organizations and individuals realize why privacy is power.

Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.