ARTICLE
21 May 2025

Environmental, Social, And Governance (ESG) And Data Protection: A Nexus

A
Alliance Law Firm

Contributor

Alliance Law Firm logo
ALF is a multiple award winning law firm operating out of offices in Lagos, Abuja, and Port Harcourt Nigeria. Our mission is to establish a world class, full service Nigerian law firm distinguished by its premium service. We incorporate a rich blend of traditional legal practice with the dynamism required to satisfy our broad range of clients who operate in various industries.
Explore Firm Details
Environmental, social, and governance (ESG) integration into corporate decision-making has been profoundly transformed. Once considered a niche concern...
Nigeria Corporate/Commercial Law
Ngozi Chinwa Ole,Lilian Adat, and Anastasia Edward

INTRODUCTION

Environmental, social, and governance (ESG) integration into corporate decision-making has been profoundly transformed. Once considered a niche concern, they are recognised as essential drivers of long-term sustainability and value creation for businesses worldwide.1 Concurrently, data protection and privacy have become a growing concern today. The escalating importance of data privacy has prompted regulators, businesses, and consumers to scrutinise the collection, use, and protection of personal data with unprecedented rigour. Data protection is considered an area that will have profound implications for ESG if privacy and data protection policies grounded in existing data protection laws are not implemented effectively. Organisations are beginning to view data responsibility as integral to their ethical and sustainable business practices as investors increasingly consider new ESG developments in their decision-making processes.[2] This connection emphasises the importance of ethical data handling, regulatory compliance, risk management, and corporate reputation enhancement. Companies with strong data protection practices will likely attract investment as they align with the growing demand for responsible and sustainable business practices in the ESG context. This article discusses the connection between data protection and ESG in corporate operations. It recognises that although data protection and sustainability regulations do not directly connect, they make it vital for companies that seek to enhance corporate responsibility by their sustainability commitments to balance ESG with ethical data governance.

MEANING OF ESG AND DATA PROTECTION

ESG is a framework to assess an organisation's business practices, sustainability and ethical performance. ESG merges three critical aspects of corporate responsibility to estimate and manage the impact of sustainability and ethical practice on an organisation's operations by supplying a means of quantifying opportunities for businesses and risk factors. Data protection refers to the processes, policies, and technologies designed to safeguard personal and sensitive information from unauthorised access, use, disclosure, alteration, or destruction. Data protection ensures privacy, integrity, and availability, particularly with personal data. The key aspects of data protection include the legal and regulatory framework, data processing principles, technological safeguards, data protection strategies, data breaches, and the rights of data subjects.3

What are Data Privacy Risks in ESG?

Data protection links with ESG during data collection, management, analysis, and reporting4. Accordingly, privacy risks in ESG arise primarily from handling and disclosing personal data during ESG reporting and compliance efforts, data transfer, and technology usage. Privacy risks in the ESG context are growing as businesses increasingly rely on data to meet ESG goals. Thus, they must manage this data responsibly to avoid regulatory and reputational pitfalls. Companies must prioritise cybersecurity and provide sufficient resources and expertise to support their efforts by investing in cybersecurity, anonymising data, implementing encryption and limiting access controls to secure data storage and transmission, and maintaining privacy principles.

Some Privacy risks5 in ESG Practice include:

  •  Unclear consent: The concept of consent in data protection applies only to the processing it was obtained for; further processing requires further consent. Companies must obtain explicit consent before data collection through simple language and an accessible format; consent must be affirmative,6 either written orally or electronically.7 Before obtaining consent, a data controller must inform data subjects about their identity, residence, communication methods, processing basis, intended purposes, recipients, rights, retention period, complaint rights, automated decision-making, and the right to contest and challenge the processing of such data.8Employees and consumers ought to be fully aware of the management and usage of their data; unawareness of a data subject is a potential violation of privacy laws.
  • Overcollection of data:  Data minimisation and purpose limitation are some privacy principles at the forefront of processing data. The former mandates collecting only necessary personal data and keeping such data for a required time, while the latter requires data to be collected for specific and legitimate purposes and processed for the sole purpose for which it was collected.9 These principles of personal data processing restrict the extent and purpose to which data is collected to mitigate risk, protect privacy, decrease the necessary server space and energy required to store the excess data and reduce the data footprint, resulting in a greener environmental impact. Companies may gather more unnecessary personal data, which increases the risk of data breaches or misuse. Thus, only relevant and sufficient data should be collected, processed,10 and kept as long as required to meet the legal justification for such collection.11 Overcollection of data enables intrusion upon an individual's privacy or excessive or unjustified surveillance, a risk to personal control. The 2020 implementation framework of the NDPR provides three years following the most recent active digital platform usage. It also follows six years after the most recent transaction in a contract agreement, upon presentation of the data subject evidence of death, an immediate request by the data subject or legal guardian when there is no statutory provision or the data subject is not subject to an investigation or suit that may require the data sought retention timeline for data storage.12
  • Data Breaches:  As companies increasingly digitalise data, they become cyberattack targets. Sensitive information about employees, investors, customers, suppliers, the community, and other stakeholders can be exposed if proper security measures are not implemented, leading to financial, reputational, and legal damage. Data breaches can severely harm a company's ESG standing, especially in governance and social responsibility. Privacy impact assessments should be conducted to proactively identify and address potential risks while analysing data at scale.
  • Regulatory Compliance:  Companies must ensure their data practices align with local privacy laws and international standards. To mitigate privacy risks in ESG practices, companies must implement data privacy policies and adhere to several relevant regulatory provisions, such as the NDPA 2023, the NDPR Implementation Framework, 2020, the General Data Protection Regulation (GDPR) 2016, the Nigerian Data Protection Regulation (NDPR), 2019, and the NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019 (as amended). Fulfilling regulatory obligations for data protection and compliance requirements for ESG in corporate practices will create synergy. In contrast, failure to comply with data regulations while processing ESG data could lead to fines, penalties, and loss of investors and trust.
  • Cross-Border Data Transfers:  Data reporting frequently entails cross-border data sharing, which poses risks due to different privacy regulations in various jurisdictions. In Nigeria, it is illegal for data processors and controllers to transfer personal data outside the country unless the recipient is subject to adequate protection or one of the conditions listed in Section 43 of the NDPA.13 The Nigerian Data Protection Commission may require data controllers and processors to inform them of these measures and explain their adequacy. Additional restrictions may be imposed based on the nature of the data and risks to data subjects. In Europe, the European Union's Schrems II ruling14 has complicated international data transfers, making it essential for organisations to manage privacy risks in global ESG reporting efforts.
  • Use of Technology Ethically:  AI and data analytics are increasingly used to measure ESG performance but can introduce ethical risks. For example, AI algorithms that analyse employee data for diversity metrics might inadvertently discriminate or misuse personal data if not properly governed.
  • Transparency and Accountability:  Companies adopting ethical considerations in data processing must have a transparent system for accountability during data breaches, as stakeholders expect clarity on how companies handle personal data in the context of ESG initiatives. Ethical breaches, such as misrepresenting data privacy practices or failing to safeguard personal information, can damage a company's reputation and trustworthiness in ESG reporting.

THE NEXUS BETWEEN DATA PROTECTION AND ESG

As companies increasingly embrace ESG frameworks to guide their operations and investments, an intersection emerges between corporate responsibility and data protection responsibility. This connection can be seen in certain areas where both distinct fields seek similar results, such as ethical responsibility, corporate reputation, regulatory compliance, risk management, sustainable business practice, and investors' expectations. At this intersection, companies must navigate the moral duties of ESG, which are rooted in how companies balance profitability and sustainability with the legal obligations surrounding data privacy.

Connecting the Nigerian Data Protection Act (NDPA) 2023 with ESG

The NDPA 2023 defines adequate safeguard for personal data by considering factors such as enforceable data subject rights, the rule of law, appropriate instruments between the Commission and competent authorities, public authority access to personal data, effective data protection laws, independent supervisory authorities, and cross-border data transfer to provide a comprehensive framework on personal data security to protect individual privacy and data in Nigeria. The Nigeria Data Protection Commission (NDPC) established under the Act outlines the Commission's duties to regulate data processing activities, the Commission's Governing Council and its responsibilities in overseeing data protection practices. The Act addresses individual rights to their data. It establishes guidelines for data processing, data breach procedures, and cross-border data transfer, as well as the legal foundation and guiding principles of data processing, data subjects' rights, data security, enforcement, and legal proceedings. Its significant principles include lawfulness, fairness and transparency, accuracy, purpose limitation, data minimisation, storage limitation and accountability. The NDPA connects with ESG in governance, social responsibility, transparency, and risk management. Complying with the NDPA can strengthen a company's ESG performance as it demonstrates a commitment to ethical, appropriate data management and respect for the privacy rights of individuals. At the same time, non-compliance can lead to reputational damage, negatively impacting a company's ESG ratings.

The NDPA 2023 links ESG principles in certain key areas, such as:

  • Data Protection and Governance: "Governance" in ESG emphasises transparency, accountability, and ethical business practices. It encompasses the composition of the board, executive compensation, risk management, transparency, and accountability that guide corporate behaviour, decision-making, and oversight. The NDPA emphasises data processing accountability and mandates that organisations in Nigeria protect personal data. This aligns with ESG governance standards that require businesses to adopt responsible management practices, including sophisticated data security measures. The NDPA establishes the independent NDPC to regulate personal data processing. The Act mandates that data controllers of "major importance" designate a Data Protection Officer to handle data of considerable importance.15 One of the tasks of this officer is to advise the data controller on compliance with the Act, which would include ensuring the proper handling of children's data. The NDPC's responsibilities under the Act strongly align with good governance practices through promoting data processing practices, guaranteeing legal, equitable, and accountable data, promoting transparency and public awareness on personal data protection, encouraging businesses to adopt international best practices for data protection, and collaborating with relevant government bodies and international organisations to ensure adherence to data protection obligations.
  • Privacy and Social Responsibility: "Social" in ESG covers human rights, employee well-being, and fair treatment, which includes respecting individuals' privacy. This aspect highlights the significance of respect for human rights in business practices. It encompasses a broad spectrum of factors related to human capital management, diversity and inclusion, labour practices, community engagement, and stakeholder relations.16 Vendor relationships, employee welfare, healthcare Initiatives, gender equality, race equality, religious equality, workforce demographics, employee satisfaction surveys, and diversity statistics.17 Data reflects the company's relationships with its employees and other stakeholders and is used for reputational advantage as it upholds corporate responsibility. Data protection concerns deal with the data subject's confidentiality, understanding, and consent. The NDPA reinforces this by protecting individual privacy rights, particularly in how organisations collect, store, and use personal data. Organisations are expected to handle personal data ethically, ensuring that individuals' rights and freedoms are respected to contribute to their social license to operate because the impact of technology and data processing on individuals falls within the ESG's social pillar18. Therefore, obtaining informed consent before data collection must be done through simple language and an accessible format to ensure the data subject understands the consequences of the processing and their rights as data subjects, and consent must be affirmative, orally, written, or electronically. Although the NDPA does not provide any special category of data, Article 9 of the GDPR 2016 provides that any such data that reveals racial, biometric, health, trade union membership, and so on is regarded as a special category of data and cannot be processed to identify the data subject.19 So, before proceeding with such processing, consent for data processing must be explicitly obtained, and processing must be obligatory and not contradict any of the provisions listed in Article 9 (2) of the GDPR, 2016. The NDPA emphasizes the need for data processors and controllers to be accountable for upholding these rights. Specific provisions within the NDPA directly serve to protect individuals in the social sphere of ESG.
  • Data Breach Notification: The NDPA mandates organisations to report data breaches, minimising individual harm. If a breach occurs, the processor must immediately notify the data controller and respond to all information requests by the controller. Upon awareness of a high-risk data breach, the controller must inform the NDPC within 72 hours, describing the nature of the violation and categories of data subject.20 The data controller must also unambiguously notify the data subject immediately if it is a high-risk breach. All notifications should bear the details of the data controller, describe the probable implications of the breach, and explain measures taken to address it.21
  • Rights of Data Subjects:  The Act grants individuals the right to access, object,22 correct, and delete their personal information, promoting individual autonomy and control.23
  • Children's Data Protection: The NDPA explicitly addresses the data rights of children, recognising their vulnerability and need for enhanced protection in the digital sphere. Given their vulnerability, it contains particular clauses that safeguard the personal information of minors and individuals without legal capacity. Since children cannot fully comprehend the implications of processing their data, a data controller must get parental consent or approval from a legal guardian before processing a child's data.24 The NDPA mandates that data controllers implement appropriate mechanisms to verify the age and consent of individuals before processing their data, taking into consideration available technology. This shows the importance of due diligence in protecting children's data online. The Act further outlines specific situations where processing children's data without consent is permissible, when protection is for the child's vital interest, educational purposes, medical or social care, provided it is undertaken by a professional or similar service provider owing a duty of confidentiality, necessary proceedings before a court.25
  • Data collection and Environmental Sustainability:  "Environment" in ESG involves resource conservation, energy efficiency, waste management, and reduction of greenhouse gas emissions. Data collection poses a serious future problem, as companies have collected and analysed vast amounts of data in the last few years. It deals with how companies increasingly recognise the importance of measuring and disclosing their ecological impact as part of their broader commitment to sustainability and corporate responsibility.
    As data management technology continues to improve, data protection inclusion in ESG concerns is a new development centred around collecting and storing unnecessary data, yielding electronic waste because unlimited cloud-based storage has a long-term impact on the environment. Companies can prioritise data responsibility by integrating environmental considerations into their business practices. This latest development has caused companies to seek energy-saving ways to build and operate their data centres and physical servers because more data collection and data storage requires a physical server, which further requires excess server space, hard drives, and other electronics to store environmental information, leading to physical waste and increased energy output in the long run. While not the primary focus, the NDPA indirectly supports environmental goals by promoting electronic communication between the data controller and data subject, encouraging digitalisation and reducing reliance on physical documents and their associated environmental impact.
  • Data Management and Transparency in ESG Reporting: The NDPA requires organisations to be transparent about handling personal data, including obtaining consent, data processing purposes, and individuals' rights. In the ESG context, transparency is key to reporting sustainability efforts, and data privacy disclosures have become an essential part of ESG reporting frameworks. Presently, consumers are concerned about the ethical use of their data. They want responsibility and openness from the companies they are affiliated with,26 so when reporting s, transparency and accountability practices should also be at the forefront to build trust and assurance of control in data processing.
  • Risk Management and Regulatory Compliance:  ESG emphasises effective regulatory compliance, while NDPA emphasises effective risk management. It can be recognised that data privacy risks are part of a company's broader risk profile in ESG because failing to comply with data regulations can lead to legal penalties, affecting a company's regulatory standing. The NDPA is a data protection framework that serves as a regulatory standard in ESG compliance. The NDPA mandates companies to conduct a data privacy impact assessment to evaluate if the potential data processing activity may risk individuals' data. Companies should integrate data protection impact assessments (DPIA) into their ESG risk management processes. This guarantees that data privacy risks are considered when assessing overall ESG-related risks, especially when implementing new technologies or business models that involve personal data processing. This assessment is carried out before processing, and if there is any indication of risk, the NDPC must be informed. Furthermore, companies should have an incident response plan for privacy incidents, and boards must hold management accountable for upholding data privacy standards and responding effectively to data breaches or incidents.

The Corporate Sustainability Reporting Directive, 2020 (CSRD) Connecting with Data Protection

This Directive is a key European regulation that enhances transparency in sustainability reporting. It mandates companies to provide detailed disclosures on how their businesses impact ESG factors. As companies collect and report more detailed data, especially regarding social issues like diversity and labour practices, data privacy concerns are raised, making data governance strategies important. While the CSRD does not establish a distinct data protection framework, its requirements, particularly those related to social factors, disclosure, proportionality and ethical practice, create a clear connection with data protection. Companies regulated by the CSRD should proactively consider data protection principles throughout their sustainability reporting processes to ensure compliance and trust. CSRD encourages ethical and responsible practices across ESG metrics, and data protection can be identified as a component of ESG. Companies must ensure that their ESG data processing practices respect the human right to privacy, as recognised in GDPR, the European Convention on Human Rights and other data regulations. The CSRD primarily focuses on the reporting requirements. To understand the specific data protection obligations, referring to the relevant data protection regulations applicable to the company and its data processing activities is crucial.

Some ways the CSRD connects with Data Protection

  • Personal Data Considerations:  To comply with CSRD, companies must report on various social metrics, including workforce diversity, employee well-being, and human rights performance. These often require collecting and processing data such as gender, age, or health information, which triggers data protection regulation considerations. When reporting on social issues, companies must be cautious not to disclose personal data that could identify individuals without their consent. This is particularly relevant when discussing sensitive topics like gender pay gaps or employee demographics.27
  • Disclosure and Risk Management:  The CSRD emphasises the need for companies to disclose their risk management strategies related to sustainability matters. Gathering this data could involve processing personal data, which would necessitate adhering to data protection principles such as the legal basis for processing, data minimisation, and data security because of the risks associated with personal data processing. This necessitates robust DPIA to ensure that ESG reporting practices, especially those involving third parties or global operations, do not expose the company to privacy violations. Companies must assess and report on how they manage these risks and ensure that their sustainability reporting does not compromise the privacy of individuals.28
  • Proportionality and Relevance:  The CSRD encourages that data reported should meet the users' needs without placing a disproportionate burden on the reporting undertakings29. The CSRD acknowledges the need for proportionality in data collection and reporting, particularly for small and medium-sized enterprises (SMEs).30 CSRD aims to balance the demand for comprehensive sustainability information with the capacity of companies to provide it, especially those in complex global supply chains. This aligns with data protection laws, which advocate for collecting and processing data only as much as is required for the intended use.
  • Data Reliability and Avoiding Greenwashing: The CSRD stresses the necessity for reliable31 and accurate sustainability reporting to avoid "greenwashing" and misleading stakeholders about a company's sustainability performance32. This emphasises an ethical responsibility to guarantee the quality and integrity of the data collected and processed for sustainability reporting. The push for assurance opinions from statutory auditors or independent assurance providers on sustainability reports further emphasises this commitment to data reliability.33
  • Governance and Third-Party Transfer:  The CSRD applies to companies in multiple jurisdictions, often requiring cross-border data transfers. Businesses must ensure that any data shared with third parties aligns with applicable data protection regulations, especially regarding handling personal data, as the expanding market for sustainability information typically involves third-party data providers who gather and analyse data from multiple sources.34

CONCLUSION

Companies can integrate data security to control the dangers associated with data violations and compliance to manage ethical risks to certify that their data processing operations contribute to the overall sustainability goals of the organisation. The challenge of connecting ESG to data protection lies in balancing the need for comprehensive data collection, processing, transfer, management, and reporting with the legal obligations under data protection laws, which mandate data minimisation, consent, and processing of personal information in a lawful manner, etc. Consequently, recognising privacy principles and legal obligations of processing as an ESG approach can offer practical guidance on how to link sustainability and data protection. Furthermore, the convergence of data protection and ESG is a strategic imperative, as this connection enables data protection and ESG to rely on each other for high standards and ethical corporate practices. As global ESG standards increasingly recognise the importance of data protection compliance, it is crucial for Nigerian and foreign companies operating in Nigeria to ensure they meet their legal obligations and global investor expectations regarding data protection and ESG. As a result of regular digital transformation, companies should communicate openly with stakeholders about their data protection practices, as the alignment of ESG and data protection will become increasingly critical, to ensure that companies create long-term value for shareholders by connecting data responsibility with corporate responsibility.

Footnotes

1. Permutable.ai, "The Increasing Role of ESG in Corporate Decision Making" (view link) assessed 20 November 2024.

2. Haoming Tong, "The Importance of ESG in Corporate Strategy and Investment Decisions with Patagonia as an Example" (2023) 25 (1) Advances in Economics Management and Political Sciences; 88-94 (view link) accessed 20 November 2024.

3. The Nigerian Data Protection Act, 2023, Part IV s 35.

4. Velibor Bo~ić, "The Relationship Between ESG and ICT" (view link) accessed 25 November 2024.

5. David Wright and Charles Raab, "Privacy Principles, Risks and Harms" International Review of Law, Computers and Technology (2014) 28 (3); 277-298 (view link) accessed 25 November 2024.

6. NDPA 2023, Part V, s 27 (a).

7. NDPA 2023, Part V, s 27 (b).

8. NDPA 2023, Part V, s 27 (1).

9. NDPA 2023, Part V, s 24 (1) (b).

10. NDPA 2023, Part V S24 (1) (c).

11. NDPA 2023, Part V S24 (1) (d).

12. The NDPR Implementation Framework, 2020 Art. 8.2

13. NDPA, 2023, Part VII, s 41.

14. GDPR Summary, "Schrems II A summary – All You Need to Know" (view link) accessed 30 November 2024.

15. The NDPA 2023, Part V, s 32.

16. Alexander S. Gillis, Sandra Mathis and Craig Stedman, "What is ESG (Environmental, Social and Governance)?" (view link) accessed 2 December 2024.

17. Nadia Hammouda "The Importance of ESG Practices in Business – Part 1" (view link) accessed 3 December 2024.

18. Susannah Wilkinson and Julia Hollis, "Data Governance, Privacy and Trust – A Sweet Spot for ESG?" view link ) accessed 3 December 2024.

19. The GDPR 2016, Art. 9 (1) .

20. The NDPA 2023, s 40 (1&2).

21. The NDPA 2023, s 40 (4).

22. The NDPA 2023, Part VI, s 36.

23. The NDPA 2023, Part VI, s 34.

24. The NDPA 2023, Part V, s 31 (1).

25. The NDPA 2023, Part V, s 31 (4).

26. Samantha Martin-Woodgate, "Understanding Data Security and Privacy in ESG" (view link) accessed 3 December 2024.

27. The Corporate Sustainability Reporting Directive 2023 Art. 49.

28. The Corporate Sustainability Reporting Directive 2023, Art. 30.

29. The Corporate Sustainability Reporting Directive 2023, Art. 46.

30. The Corporate Sustainability Reporting Directive 2023, Art. 21.

31. The Corporate Sustainability Reporting Directive 2023, Art. 37.

32. The Corporate Sustainability Reporting Directive 2023, Art. 13.

33. The Corporate Sustainability Reporting Directive 2023, Art. 60.

34. The Corporate Sustainability Reporting Directive 2023, Art. 10.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ngozi Chinwa Ole
Ngozi Chinwa Ole
Photo of Lilian Adat
Lilian Adat
Photo of Anastasia Edward
Anastasia Edward
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More