25 Jul “Data Protection as a Corporate Social Responsibility”: Integrating Privacy, Cybersecurity, and Sustainability

Author: Kate Francis, Miriam Andrea Fadda, Andrea Strippoli

 

Background

Paolo Balboni, ICTLC Founding Partner, and Kate Francis, Head of Research, publish “Data Protection as a Corporate Social Responsibility” (Edward Elgar, 2023)

 

In today’s digital age, the importance of personal data protection and cybersecurity cannot be overstated. Eight years after the General Data Protection Regulation (GDPR) [1] entered into force and six years after it became applicable, it is clear that European law alone is insufficient to genuinely protect the rights and freedoms of individuals and foster sustainable data processing activities for the benefit of individuals and society.

At the same time, consumers are increasingly prioritizing sustainable business practices. More and more, sustainability is taken into consideration when purchasing products and making investment decisions. With this in mind, Paolo Balboni and Kate Francis drafted the first auditable framework that situates data protection and cybersecurity under the umbrellas of Corporate Social Responsibility (CSR) and Environmental, Social, and Corporate Governance (ESG).  The framework was developed in the context of a multiyear research project at Maastricht University’s European Centre on Privacy and Cybersecurity which resulted in the publication of a book titled “Data Protection as a Corporate Social Responsibility” (Edward Elgar, 2023). [2]

“Data Protection as a Corporate Social Responsibility” provides a critical analysis of the current state of data protection enforcement and furnishes practical guidelines for organisations to contribute to a more sustainable data-driven future. The aim of the framework is to assist organisations in making a positive societal impact through responsible data processing and to prevent harm to individuals through the processing of their data.

 

Data Protection as a Corporate Social Responsibility

CSR begins with adhering to legal requirements and extends to implementing specific strategies and practices that benefit the organisation, its stakeholders, and society at large. When this approach is applied to data protection and cybersecurity, it involves using EU data protection and cybersecurity laws as a foundation and then enhancing these standards to engage in data processing activities that benefit both the company and the broader community. This methodology is termed Data Protection as a Corporate Social Responsibility (DPCSR). DPCSR extends the principles of CSR and ESG to address the gaps left by current data-related laws. By adopting this approach, organisations can reduce negative impacts on privacy, data protection, and security while potentially boosting their ESG scores. [3] This is particularly important as ESG ratings may influence investor confidence.

The Maastricht University Data Protection as a Corporate Social Responsibility Framework (UM-DPCSR Framework) for integrating data protection into CSR and ESG activities has garnered significant attention from multiple organisations. This is primarily due to its potential to guide organisations in the integration of their data protection and cybersecurity compliance activities with those carried out by the organisation in terms of sustainability. Data protection and cybersecurity are, in fact, material for many organisations. From the carbon footprint of data centres and data transmission networks to supply chain risks to data governance and workers in the value chain, the convergence between data protection, cybersecurity, and sustainability is undeniable.

 

The Maastricht University Data Protection as a Corporate Social Responsibility Framework

The UM-DPCSR Framework is comprised of five principles, 25 rules, and 44 controls. The principles and rules of the framework can be consulted below.

Principles and Rules of the UM-DPCSR Framework

 

Principle 1. Embed data protection, fairness, and security in the design of processes

Rule 1: Implement Data Security by Design. The Organisation shall implement Data Security by Design into its data processing activities throughout the whole life cycle. “Keep it secure”

Rule 2: Implement User Empowerment by Design. The Organisation shall actively empower individuals with respect to their data. “Keep it user-centric”

Rule 3: Implement Fairness by Design. The Organisation shall ensure that the fundamental rights to privacy and data protection are upheld by designing and developing systems that process personal data in a proportional, fair, and secure manner. “Keep it fair”

Rule 4: Implement “Loyalty” by Design/Fiduciary commitment. The Organisation shall coherently apply the tenets of fiduciary commitment to data processing activities.  “Keep it loyal”

Rule 5: Implement “Digital Solidarity” to uphold human rights. The Organisation shall only apply business models that permit the fair, transparent, and secure use of data in a way that benefits society. “Keep it solidary”

 

Principle 2. Be transparent with individuals about the collection and further processing of their data

Rule 1: Before processing. The Organisation shall use icons (and sounds) for an easily visible, intelligible and clearly legible provision of information concerning the intended processing.

Rule 2: During processing. Be transparent about how the processing (for example, fully automated decision making by algorithms) works. The Organisation shall implement new modalities that render the data processing transparent by way of, for example, the use of images, standardized icons, flashing lights, and sounds.

Rule 3: Be clear about how the Organisation benefits from the processing of data and the subsequent benefit for society derived from such processing. The Organisation shall be transparent about how it benefits from the data of individuals and how it provides benefits (fair in-kind value)  to individuals or society at large.

Rule 4: Actively test the effectiveness of institutional transparency information (outward-facing privacy and data protection documentation) with individuals. The Organisation shall regularly assess the understandability of the information provided to individuals about the use of their data.

Rule 5: Regularly publish Transparency Reports. The Organisation shall publish reports which showcase how it informs individuals about the collection and further processing of their data and the effectiveness of the means used to convey such information.

 

Principle 3. Balance profits with the actual benefits for citizens

Rule 1: Carry out a Profitable and Beneficial Test (P&B Test). The Organisation shall carry out a P&B Test to evaluate how data processing activities benefit both the Organisation and society.

Rule 2: Engage with stakeholders to understand their values and beliefs when selecting suppliers. The Organisation shall survey stakeholders to find consensus in common goals and greater objectives.

Rule 3: Establish trusted data processing activities (for example, for use in AI and big data analytics) that actively oppose bias and discrimination. The Organisation shall actively seek not to cause harm.

Rule 4: Organise data processing activities in consideration of the environment and climate issues. The Organisation shall minimize data processing activities to actively contribute to the reduction of energy consumption and carbon emissions along the value chain.

Rule 5: Carry out a Materiality Assessment. The Organisation shall carry out materiality assessments at regular intervals to ensure alignment with ever-changing social, economic, and environmental needs.

 

Principle 4. Publish relevant findings based on statistical/anonymized data to improve society

Rule 1: Business to Consumer Data Sharing. The Organisation shall make findings derived from data known to consumers by way of understandable and useful Digital Society Insights Reports. “B2C Data Sharing”

Rule 2: Business to Business Data Sharing. The Organisation shall engage in or establish secure and transparent data collaboratives with relevant peer-stakeholders to improve the analytical potential of the data in its possession. “B2B Data Sharing”

Rule 3: Business to Government Data Sharing. The Organisation shall actively seek to provide the public sector with relevant data-based insights. “B2G Data Sharing”

Rule 4: Business to Research Data Sharing. The Organisation shall engage in business to scientific research data sharing to provide data to sustainable innovation initiatives, following the FAIR data principles. “B2R Data Sharing”

Rule 5: Business to Humanitarian Action Data Sharing. Engage in business to humanitarian aid data sharing to support humanitarian actions. “B2H Data Sharing”

 

Principle 5. Devote a portion of revenues to awareness campaigns for citizens with regards to the data-centric society

Rule 1: Invest in digital social capital to promote social enterprise within the Organisation. The Organisation shall make use of digital and data-driven tools to engage internal stakeholders with the aim of positively contributing to the Organisation.

Rule 2: Allocate a portion of revenue to be devoted to awareness campaigns, in and outside of the Organisation. The Organisation shall implement a metric/model that will identify an adequate portion of revenue to be devoted to awareness campaigns.

Rule 3: Develop a yearly data awareness program. The Organisation shall make a programme available to individuals with clear objectives regarding data protection and cyber-/data-security literacy.

Rule 4: Contribute to digital educational initiatives for youth. The Organisation shall carry out concrete actions to further education about data protection rights and cybersecurity hygiene for youngsters.

Rule 5: Actively promote the protection of individuals in relation to data practices. The Organisation shall devise specific outreach programs on disinformation, fake news, and data-driven threats.

 

By following the five principles and 25 rules constituting the framework, organisations can potentially improve their transparency and accountability and engage in fair and secure data processing activities. In this way, organisations can positively contribute to the greater good of a sustainable data-driven economy and a democratic digital society.

 

 

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2] Paolo Balboni and Kate Francis, Data Protection as a Corporate Social Responsibility, Edward Elgar, 2023, https://www.e-elgar.com/shop/gbp/data-protection-as-a-corporate-social-responsibility-9781035314157.html

[3] PWC, 20 October 2022, https://www.pwc.com/us/en/tech-effect/cybersecurity/building-trust-with-esg-cybersecurity-and-privacy.html