Privacy is the next pillar in the ESG evolution

Nowadays, there is a much greater focus on the purpose and responsibilities of businesses. Environmental, social and corporate governance (ESG) has become the framework used to ensure an organization causes no harm to – and generates value for – all stakeholders, including suppliers, customers, employees, shareholders and the environment itself.

While we still require a system of checks and balances to ensure organizations don’t merely use ESG initiatives to greenwash their reputations, it’s evident that upholding these principles has real business benefits. In 2021 around $18.4tn was invested in companies that follow ESG principles, and PwC projects that this number will rise by 84% to $33.9tn by 2026.

We live in a better world today because so many businesses have incorporated ESG into their strategies. But this framework needs to evolve even further to reflect the modern world – by bringing privacy into the mix.

Privacy must be part of the ethos of businesses

If ESG is the notion that businesses need to do right by their customers, their employees, society and the wider world, then incorporating privacy under the same banner is the next logical step. The way that organizations collect, store, use and share data needs to be brought into line with ESG principles.

Many businesses simply don’t take privacy seriously enough, as evidenced by the multitude of serious data breaches that occur on a seemingly daily basis. Twitter, Chick-fil-A, PayPal, MailChimp, T-Mobile and JD Sports all reported data breaches in January of this year. And it's no small misstep: the average cost of a data breach in 2022 was $4.35m – the highest it's ever been – according to an IBM and Ponemon Institute study.

While immature or insufficient controls over data access can have severe consequences for all stakeholders in a business, it's clear that many companies still approach privacy as a compliance box to tick. They don't want to prioritize user privacy or believe it's the right thing to do – they implement privacy measures only because they have to.

But the threat of a hefty fine shouldn’t be the motivating factor when implementing privacy initiatives. Privacy initiatives should be borne out of a genuine respect for consumers and the desire to do the right thing.

The privacy landscape is changing

The way we approach privacy needs to be in tune with the times – and there are several consumer and data management trends shaping the privacy landscape at the moment.

Firstly, existing and emerging legislation means that 75% of the world’s population will have its personal data covered under modern privacy regulation by 2024, according to Gartner’s projections.

While organizations will have to ensure that their privacy protections are up to scratch in order to comply with these regulations, there’s a second significant trend to consider. Consumers are increasingly aware of how their data is collected, stored and used.

With a growing appreciation for the value that organizations are deriving from their data, 67% of consumers are now more vigilant about their online privacy, according to research by Integral Ad Science. Businesses need to meet customer expectations around data protection.

Finally, major decisions by some of the biggest tech companies and platforms are driving privacy forward. Apple’s Tim Cook said at the IAPP Global Privacy Summit last April that “privacy is the most essential battle of our time” following the company's rollout of its AppTrackingTransparency feature, while Google announced it would also be placing greater restrictions on how Android users can be tracked.

Businesses must listen to the winds of change. They can’t wait to be forced to take privacy more seriously – they must lead the way.

A vision of a privacy-first future

Good intentions are one thing, but there needs to be solid action around how data is stored, used and shared to move us forward. For too long, entire industries have relied on practices fundamentally at odds with privacy. In the digital marketing and advertising world, for instance, sharing customer data across a vast ecosystem of third parties has been common practice. This went unchallenged, largely due to the belief that this was the only way to get value from consumer data.

It’s an outdated model whereby selling targeted advertising and protecting customer data are mutually exclusive outcomes. To make progress, there needs to be new ways of delivering relevant advertising and content without compromising customers’ privacy. To that end, we must agree throughout the industry on some privacy principles for the appropriate consumer data – value exchange. My proposals are:

1. Firstly, all organizations must respect consumer consent. Consumers are smart about what they get in return for volunteering their data. All companies need to be transparent about why they are collecting data and what they’re doing with it.

2. Secondly, businesses should collect, store and use only the data they need to deliver a great customer experience.

3. Thirdly, organizations need to collaborate without sharing data. Once consumers volunteer their data, they should feel secure that their data is not traveling across dozens of other companies.

4. Finally, businesses must be innovative in their use of data. If they can reconstruct how they collect data and partner with other companies, they turn privacy and data security into an advantage.

While some finer points of how businesses adapt to a privacy-first future need to be ironed out, the key is approaching privacy as part of the ESG framework. Businesses that build privacy into their ethos – rather than simply complying with privacy regulations because they are legally compelled to do so – will see better outcomes. The risk of reputational damage and loss of stakeholder trust will be lowered, while regulatory compliance will be boosted. But these are secondary outcomes compared to the primary objective: doing the right thing.

Fully respecting privacy is an advantage to businesses, not a hindrance. As an industry, if we agree on consistent principles concerning customer data, we truly make privacy the next pillar in the ESG evolution.

Brian Lesser is chairman and chief executive officer at InfoSum.