Navigating compliance: Integrating data privacy into the ESG framework for competitive advantage

  • 4 Sep 2023
  • 5 Mins Read
  • 〜 by Brian Otieno

Understanding Environmental, Social and Governance (ESG)

The phrase “Environmental, Social and Governance (ESG)” has gained prominence since 2005 and is a mainstay in corporate linguistics today. Entities are taking strategic steps to not only align but also entrench the pillars of ESG into their operations. Succinctly put, the ESG Framework connotes a systematic approach essential in the identification, assessment, and integration of the economic, environmental, and social impacts of a business on society as well as the environment, as part of the core deliverables of an entity.

The ESG Framework is a critical component for corporates. Not only does it contribute to regulatory, risk and legal compliance demands but it also helps in goal setting, strategy making and identification of risks pertaining to their environmental, social, and governance practices. From an environmental perspective, an entity can assess the impact of their activities or operations on the natural environment, and resources. On the social ambit, an entity can examine the impact of its operations on society by considering issues such as labour practices, human rights, as well as community engagement and involvement. On governance, the evaluation of an entity’s leadership, internal controls, and overall ethical behaviour, takes precedence.

ESG is also essential for stakeholders and investors. Compliant companies not only attract investments but also get further investment from existing investors and shareholders. Fundamentally, a solid entity is defined by more than its performance financially. Its environmentally conscious practices, unwavering commitment to social responsibility and adherence to ethical governance are also pivotal to measuring the solidity of an entity.

ESG and data privacy: Converging realms that uphold consumers’ sovereignty

Technology has permeated almost every sector of society today leading to disruptions. In this backdrop, data has become the lifeblood of the modern economy. Companies, individuals, and businesses in one way or another collect, store, and possibly share or use such data, taking care of privacy concerns.

Amidst the growing recognition of data privacy, regulators globally are now coming up with modalities, often through legislation, to ensure and enforce compliance with data privacy regulations. According to projections, it is anticipated that by the end of 2024, 75% of the global population will have all their personal data and/or information within the whims of technological databases. This therefore means that they will be governed by privacy laws and regulations. Therefore, it is not a surprise that entities are now approaching data privacy with renewed determination. Entities now consider and view data privacy as a regulatory imperative as opposed to a proactive measure to enhance their reputational status.

Given the undeniable importance of data protection, as evidenced by the enactment and revision of legislation across nations worldwide, data privacy has renewed importance. The collection, processing, sharing and storage of data have now become the norm in numerous jurisdictions. This was exacerbated by the COVID-19 pandemic and further buttressed by the clamour for “smart” initiatives as well as the proliferation of the Internet of Things (“IoT”).

This therefore begs the fundamental question: where and how does data protection or privacy fit into the ESG framework? And would there be a worthy purpose for data protection or privacy to be included within the ESG framework rather than mere organisational glorification?

From the very onset, data privacy is not entirely about compliance with existing and relevant data protection laws and mitigating the possible risks that come with it. At the core of data privacy is the recognition of the right of individuals to protect their personal data. Similarly, under the ESG framework, accountability to investors, capital market players and consumers, more so on performance and risks and strategies based on a criterion of benchmarking metrics and standards is at play. This sets the basis for the interlink between data privacy and the ESG framework. Succinctly put at the core of both data privacy and the ESG framework is the pressing dictate of upholding the user’s or consumer’s sovereignty in a capitalistic environment.

The specific interaction between ESG and data privacy is discussed under each pillar below: –

(a)   Environmental

Broadly, the Environmental pillar in the ESG framework focuses on climate and climate-related risks. In this facet, it encompasses the pressing issues around climate change, pollution, and effective waste management among others.

In data privacy, the principle of frugality is central to the collection and processing requirements of data privacy. The rationale is premised on the cardinal concept of data privacy by design and requires that a data processor takes not what they do not need and do waste not what they have.

Additionally, the aspect of data minimization requires that a data processor limits the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. Further to it, they should only retain such data as long as is necessary to meet the purpose for which they were collected. Moreover, data protection by design necessitates that entities need to incorporate appropriate technical and organisational measures in implementing data privacy principles as a way of entrenching safeguards in their data processing activities.

Essentially, for the Environmental pillar, the contention is that the interface between it and data privacy is not only strong but also a natural one. This plays out through the underlying need for effective resource use and management.  

(b)  Social

The Social ambit of ESG mirrors how an entity relates to the society and community it operates. It revolves around health and safety and human capital development, product liability, stakeholder engagement and engagement with general society.

Data protection places engagement at the core of its concerns. Firstly, it protects the right of a data subject to access, correct and erase or seek deletion of their data from the processor. Secondly, a data subject is also able to source information as to how an entity uses their data and question the purpose for which their data is collected. Finally, a data subject can hold an entity to account for their commitment regarding their data. Not only do these apply to data processors but also other stakeholders such as regulators who are able to probe data processing activities and ensure that they are in line with set regulatory requirements.

Data privacy concerns itself with protecting the interests of individuals and balancing an individual’s autonomy over his/her personal data and legitimate business and social interests. An intersection has never been clearer.

(c)   Governance

In a broader context, governance encompasses corporate governance and conduct. It embodies how an organization sets out its policies, behaviours and practices, aligning them with legal, regulatory and compliance requirements.

On the data privacy front, while statutory frameworks will dictate the bare minimum operational requirements for organisations, these frameworks need to be tailored and adopted within an organisational context, to mirror and embody their circumstances as a way of entrenching compliance.

ESG has attached compliance metrics that entities need to align with, and these are being enforced with renewed commitment in capital markets today. Relevant to this is the requirement of reporting. It is now an essential component of organisational operations that organizations need to report on their adherence to the ESG framework. A similar requirement is in play with data privacy concerns. This is necessitated by the fact that employee and consumer data is critical to businesses, hence the effective governance of data protection programmes has become a board-level responsibility.


In conclusion, data privacy and protection, along with ESG are closely intertwined like Siamese twins. They are not only inseparable but also go beyond compliance with regulatory requirements. Responsible management, at both internal and external supply chain levels, is critical for organisations, now more than ever. As indicated above, ESG and data privacy are greatly interlinked. With the noose on ESG compliance being tightened, for instance, with the adoption of IFRS 1 and IFRS 2 in June 2023, compliance is fundamental for entities as a matter of ongoing concern.

To maintain customer trust and employee confidence, and sustain business partners and investors, compliance with ESG is fundamental going forward. Embodying data privacy as its component not only adds gloss to it but also sets an organisation apart.