This article is the last of a three part series which will consider environmental, social and governance indicators ("ESG") and the factors that have the potential to impact the components of ESG. In the second article in this series, we explored anticorruption and bribery as an ESG factor. The fight against corruption does not exist in a vacuum and it may, at times, experience friction with other ESG factors. As alluded to earlier, data security and the protection of personal information may impact ESG components. The impact is not purely positive as increased privacy may have a dampening effect on anti-corruption processes as a consequence of decreased levels of transparency.
The storage of data requires the use of hardware whilst it consumes energy to analyse and collect information. All of these have an undeniable impact on the environment and companies are becoming more astute in how they use and store data. Data centres are implementing energy efficient technologies, relying on renewable energy sources and resorting to carbon offset programmes - all in an effort to reduce their carbon footprint. Other techniques include the reduced duplication of data, compression of data, intelligent load balancing, intelligent load placing and maximising the use of existing resources. This 'greening' of data can lead to decreased operational costs, improved data management and improved efficiency whilst reducing a company's impact on the environment.
It has further been posited that privacy and the protection of personal information can indirectly impact both the governance and social components of ESG, even though privacy itself is often overlooked in ESG models.
Proper data collection, storage and processing has become essential given that large troves of information, undoubtedly some of it being of a private nature, are stored and analysed by multinational entities. This information is exceptionally valuable and vulnerable to abuse. The end user is often unaware of how their data is being captured, stored and analysed. The prevailing threat of cybersecurity breaches and the ease with which data is transmitted from one entity to another (often to entities that operate in a wholly different jurisdiction), compound this problem.
Many countries have recognised that personal information should be protected and that limitations should be placed on how this information is used and / or disseminated - such as the General Data Protection Regulation in Europe and the Protection of Personal Information Act, 4 of 2023 ("POPIA") in South Africa. The increased regulation in this sphere is a commendable development, one that is likely to increase in momentum. It is therefore unsurprising that corporate entities have started to recognise the social impact caused by the use and dissemination of data.
Ideally, corporations should aim to collect the minimum amount of data, ensure that the collection of information takes place in a manner that is transparent in relation to both the method(s) of collection and the intended use of the information, ensure that data is stored in a secure manner (data security), that information is not shared with third parties without the consent of the user (data privacy). Care should furthermore be taken where information is collected in respect of those that are more vulnerable, such as the information of minors or those with certain medical conditions.
Companies should therefore go further than merely ensuring that they comply with the relevant regulations and should recognise that privacy is a social value.
The right to privacy is protected in South Africa in terms of section 14 of the Constitution of the Republic of South Africa (1996), the common law and legislative instruments, such as POPIA.
POPIA was enacted with the purposes of, inter alia, protecting personal information, introducing minimum requirements for the processing of personal information and the establishment of an Information Regulator.
South Africa enacted POPIA in 2013 although the Act only became fully operative in 2022. The legal developments in this sphere should be understood within the broader context wherein the use of technology is rapidly increasing, as are the incidences of interaction(s) between individuals and businesses in the virtual space. This has led to a plethora of information that is being stored and analysed. It has, accordingly, become imperative that corporate entities ensure that they are fully compliant with POPIA.
Corporate entities that have a multi-jurisdictional footprint should note section 72 of POPIA, which section places limitations on the transfer of personal information outside of the Republic. This section provides that personal information may only be transferred outside of the Republic if an obligation is placed on the receiving party to reasonably process personal information in a manner that is substantially similar to the lawful processing of personal information (as understood within the framework of POPIA) and further, not to transfer the personal information to another jurisdiction where these protections are limited.
Multinational entities or South African corporate entities who conduct business in numerous jurisdictions will be well advised to take care that their contractual arrangements, at a minimum, protects personal information to substantially the same degree as the protections offered by POPIA.
Data breaches, the improper collection, handling, storage or dissemination of data could all adversely impact a corporate entity's reputation, alienate the customer or consumer base, lead to the imposition of regulatory fines and / or civil liability.
It is undeniable that corporate entities can benefit from implementing data governance policies to ensure that they manage data correctly. These policies should include guidelines on the collection, storage and processing of information, guidelines on which data to treat with increased circumspection, on the measures relied on to secure and protect the data, and on when to dispose of data.
It is further recommended that employees are adequately trained, that procedures are in place for reporting breaches of data and that the relevant data governance policy is periodically reviewed and updated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.