Site Search Site Search

Menu

Services

Menu

Audit & Assurance

Featured

Make it happen with PwC​

2025 Tax Plan

Doing Business in the Netherlands 2025

Menu

Industries

Menu

Asset & Wealth Management

Menu

Energie, Utilities & Resources

Menu

Entertainment & Media

Menu

Pharma & Life Sciences

Menu

Retail & consumer

Menu

Transport & Logistics

Featured

GenAI@Work

The new pension system

Retail Monitor 2024

Menu

Our organisation

Menu

Codes of Conduct and Reporting & Whistleblowing Procedure

Menu

Public & Regulatory Affairs

Featured

Make it happen with PwC​

Annual report 2023/2024

Committing to Net Zero by 2030

Loading Results

Privacy increasingly top priority in organisational sustainability assessment

How privacy contributes to your ESG ambitions
How privacy contributes to your ESG ambitions
  • Blog
  • 27 Jun 2023

With the advent of ESG, a compliance and risk-based approach to personal data protection is no longer sufficient, say Soraya Santhalingam, Beau van Leenders and Bram van Tiel, PwC experts in cyber and privacy.

Like most organisations, you are paying more and more attention to data protection and to a serious privacy policy. With the advent of the ESG (environmental, social & governance) framework, a compliance and risk-based approach to personal data protection is no longer sufficient. When it comes to the ethical and sustainable choices a company makes, privacy is increasingly a top priority for stakeholders.

The importance of ethical data processing

Although the ESG guidelines were initially quite elusive, they are becoming more and more concrete. This is partly due to the increase in new laws and regulations, such as the Corporate Sustainability Reporting Directive (CSRD). Meanwhile, the General Data Protection Regulation (GDPR) has been setting the global gold standard for personal data protection for five years now.

In addition, court rulings such as Schrems II shape the debate on cross-border transfers of personal data and the impact on organisations. Furthermore, new European laws such as the Artificial Intelligence Act and the Data Governance Act increase the importance of ethical data processing.

Assessing an organisation's sustainability

As a result of all this, the emphasis has shifted from the compliance and risk-based question of 'what does the law allow?' to more ethical questions such as 'what should you do?' and 'what do stakeholders such as my customers and employees expect?' Privacy and data protection may not be the first themes you think of when it comes to ESG. In the assessment of the overall sustainability of an organisation, they have become an important component not only for investors, but also for other stakeholders. 

The protection of personal data constitutes a human right

The protection of personal data constitutes a human right, based on the United Nations Declaration, and the European Convention of Human Rights. While companies want to achieve their commercial objectives, they collect all kinds of personal data. It should be clear that they have a social responsibility in doing so and that the rights and freedoms of consumers are protected. Especially now that technologies such as artificial intelligence are on the rise, it is important that the large amounts of collected (personal) data are handled with care. It is therefore important that detailed policies and procedures are in place within a company and that a dedicated privacy officer is appointed.

Keep in mind that a data breach can have a negative impact on your organisation's ESG rating in addition to possible financial and reputational damage. If the breach is severe enough, it could affect scores for years to come.

Reducing the risk of data breaches 

But effective incident management and transparency can help. In particular, ESG analysts want to see data on the frequency and impact of breaches, the procedures you follow to handle a breach quickly and carefully, and the way in which you adequately inform customers, regulators and other stakeholders. In addition, they are also interested in the measures you take to reduce the risk of data leaks.

It would be efficient for organisations if there was a way to improve both their privacy structure and ESG reporting in one go. We believe that starts with accurate and reliable data. Subsequently, the design of your privacy structure is an important factor in demonstrating how you protect the so-called 'data sovereignty'. How does your organisation make it possible for data subjects to exercise their rights? And how do you handle data leaks? 

Measures to strengthen both ESG aspects and privacy 

To ensure that you provide both the social and governance aspects of ESG and your privacy structure, you must take the following measures in any case: 

 

  • Establish an appropriate privacy governance structure.
  • Set up a well-functioning process for exercising privacy rights, such as access to and correction of personal data.
  • Create an understandable privacy statement and a full record of processing activities. This way you guarantee the transparency and emancipation of those involved in exercising their rights.
  • Protect personal data using effective technical and organisational, such as pseudonymization.
  • Provide sufficient data mapping to identify international transfers, given the global nature of data processing.
  • Establish a clear procedure that must be implemented in the event of data breaches or other incidents.
  • Create a data management roadmap as input for your reporting/dashboards.
  • Use frameworks to decide on ethical use of personal data and algorithms.
  • Make sure you are transparent about the number of data breaches within your organisation and their impact.
  • Ensure the right systems support effective and efficient reporting. 

 

Please be aware that there is no one-size-fits-all approach to incorporating privacy and data protection into your ESG program. It requires a holistic approach, taking into account the different reporting requirements, industry-specific requirements and of course the existing reporting standards within your organisation.

Cyber security and privacy: how do you build a human firewall?

Read more

Related content

Contact us

Soraya Santhalingam

Soraya Santhalingam

Manager Advisory, PwC Netherlands

Tel: +31 (0)6 11271206

Email
Beau van Leenders

Beau van Leenders

Associate, PwC Netherlands

Tel: +31 (0)6 43198274

Email
Bram van Tiel

Bram van Tiel

Partner Cybersecurity & Privacy, PwC Netherlands

Tel: +31 (0)62 243 29 62

Linkedin Follow Email
Follow us
Our services Audit & Assurance Consulting Corporate Governance Country Desks Deals Forensic Services Legal Business Solutions Sustainability Tax Workforce
Topics Cyber security Data analytics Transformation Economic Office Economic resilience Future of Finance Risk & Regulation Sustainability The future of work Value creation
Insights and publications About-magazine Blog Tax news Subscribe to PwC newsletters and invites Update your subscription preferences
Industries
AgriFood Asset & Wealth Management Automotive Banking Business and professional services Chemical sector Engineering and construction Energy & Utilities Entertainment & Media Family Business Financial sector Industrial manufacturing
Insurers Investment management Pension sector Pharma & Life Sciences Private Equity Public Sector Real Estate Retail & consumer Technology Telecom Transport & Logistics
Our organisation Annual Report and Transparency Report Board of Management Corporate Sustainability Diversity Governance Line of Service Boards Our Global Network Public & Regulatory Affairs Purpose and Values PwC Europe Sponsoring Supervisory Board Tax Strategy PwC Netherlands
Careers
Offices in the Netherlands
Events
Contact

© 2015 - 2025 PwC. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.