Simplistically speaking, ESG is about doing good, doing right. For people and the planet. As the ethical torchbearers of industry, companies with a strong ESG stance are seen as conscientious and trustworthy. To keep that trust intact, the companies need to not only act responsibly towards society and the environment, but also uphold data governance.
Last and usually least on the ESG agenda, governance is still seen as a compliance obligation. Look again. As digital adoption continues to increase, how enterprises manage data security, privacy, and confidentiality – all subjects of governance – has a large influence on trust, reputation, and even business outcomes.
On their part, regulators are pushing this by demanding greater data transparency and disclosures from enterprises. However, there is enough evidence that merely complying with the law does not guarantee good governance. We have all heard of instances where a “perfectly legal” Artificial Intelligence algorithm produced a biased, or even offensive, result because it was trained on a bad data set. Hyper-connectivity is opening the doors to pervasive data gathering and analysis, even surveillance.
Another problem is that some data privacy regulations, such as the “right to be forgotten” are either difficult to enforce or don’t follow through to implementation, which means they offer little to no protection. Any data that has been shared by consent or otherwise exposed is permanently on record and could be used in yet unknown ways in the future.
So, to be true to the ESG ideal, enterprises should be guided by its spirit of governance, rather than just the law. It means going beyond protecting data privacy and confidentiality to consider the ethics of using a technology solution that might be seen as invasive or find ways to use Artificial Intelligence, Machine Learning, and Big Data Analytics more responsibly. The good news is that governance is good for business, as it improves the management of risk and creates financial value for the organization and its stakeholders. When organizations accept that it is their social responsibility to protect customers’ data, they are likely to be sensitive to concerns about how the proliferation of data and use of obscure technologies could affect human lives. Regulating their behaviour to act in a more transparent and caring manner will help organizations enhance their own reputations.
What about innovation
The challenge is that going the extra mile regarding data security, privacy and ethics may hamper innovation and digital transformation within enterprises. The consumer is also complicating the issue by demanding more personalization, seamless experiences that require data to flow between applications and even third parties, and social networking innovations like photo tagging that thrive on the idea of “going public”.
While there is no easy way out of this dilemma, incorporating data governance into the design of the ESG framework could help to avoid pitfalls during innovation. This embeds data security and privacy so deeply into the organizations ESG fabric that safeguarding it while pursuing innovation and growth opportunities becomes second nature to the organization. Here are some things to consider:
Design it in
Data security, privacy, and confidentiality should be built into the design of products and services, systems, and business functions that gather or deal with personal information. Further, there should be clear data security and privacy and governance metrics under the ESG framework for measuring and monitoring performance and assigning accountability within the organization. Some metrics may already be mandated but others will depend on the organization’s unique context – for example, its industry, ESG goals, and risk tolerance. The list of potential metrics includes information security certification in various levels of maturity, history of breach, commitment to invest in cybersecurity training, etc.
Like the metrics, an organization’s data governance framework will also depend on its ESG goals. However, there are some best practices that may apply across the board. For one, the framework should cover the data lifecycle from end to end, from gathering and usage to storage and destruction. Next, privacy policies should provide for continual risk management and monitoring through regular inspection and audit. It is also very important to address the cybersecurity risks of the organization emanating from its partner and provider ecosystem. Organizations should follow not only the applicable laws but also try to adhere to recommended industry standards. Finally, data privacy and security has now become one of the defining corporate and social issues of our era. While consumer data provides huge value to businesses and profits, data privacy and security is a social value that needs recognition and respect. Hence, data security and privacy is an integral part of an ESG program.
Practice ethics and transparency
When employing solutions such as AI, Machine Learning, or Facial Recognition to automate decisions, enterprises should factor data ethics and privacy controls to avoid bias, privacy violation, or other undesired consequences. They should also address the need for transparency in algorithms with better disclosure. Organizations must commit to privacy of data and consistently enforce it across by implementing best practices like building secure connectivity models and standards for remote working and leveraging VPN with multifactor authentication. Conducting frequent training sessions, addressing topics including but not limited to malware, phishing scams, acceptable usage of company resources etc., would also go a long way in assuring customers and other stakeholders that their data is being used ethically and securely.
Estimates say 2.5 quintillion bytes of data are produced every day. It is imperative to safeguard this data and its privacy as it flows without stopping across networks, platforms, applications, and entities. Organizations should view this as not just a compliance obligation but a commitment to upholding ESG principles. By incorporating strong data governance and ethics within the ESG agenda, enterprises can not only fulfil this commitment but also ensure they contribute towards making a safe and secure society amid a digital revolution.
Views are personal. The author is Chief Information Security Officer & Head of Cyber Security Practice – Infosys.
Copyright©2023 Living Media India Limited. For reprint rights: Syndications Today