Connection between ESG and Data Protection

The Council of Europe and the European Parliament reached a preliminary agreement on a proposal for a regulation on environmental, social and corporate governance (ESG) assessments aimed at increasing investor confidence in sustainable products. ESG-related ratings provide an assessment of a company or financial instrument by evaluating its sustainability risks and its impact on society and the environment.

However, ESG ratings are increasingly influencing the functioning of capital markets and investors’ interest in sustainable products. According to the new regulations, ESG rating issuers must be licensed and supervised by the European Securities and Markets Authority (ESMA), and rating issuers must comply with transparency requirements, especially regarding their methodology and information sources.

Growing importance of ESG

The topic of ESG has become significantly more important in the past few years, including among investors asking about a company’s ESG footprint when performing due diligence. However, ESG principles go far beyond reducing carbon dioxide emissions. The list is long, but data protection and data security are also considered areas that have ESG implications if not implemented effectively. The examples concern not only appropriate data management and enabling data subjects to exercise their rights effectively, but also data hosting and environmental impact assessment of data centers.

Setting minimum data collection and storage deadlines, switching physical data centers to cloud services (when possible) and conscious use of energy-efficient technologies contribute to environmental sustainability. In this way, it can be seen how some of the principles of the GDPR also affect the fulfillment of ESG requirements more indirectly (the amount of data stored and the CO2 associated with it). However, GDPR requirements are also directly related to ESG, for example, the protection of people’s fundamental rights (ESG requires the fulfillment of fundamental rights, including the right to privacy, and GDPR describes how to do this).

The importance of ESG is also growing, for example, in the rental market of commercial real estate. Buildings intended for offices, data warehouse, logistics, etc. may be subject to additional requirements and conditions imposed by tenants who wish to meet their ESG goals. Employers may need to monitor the use of electric vehicles by their employees using charging stations available in the building. Tenants may require insight into their individual energy and utility consumption and may be interested in co-investing in making the building more energy efficient, which ultimately requires reporting on return on investment. As such activities typically generate huge amounts of data, which is clearly a valuable resource for ESG knowledge, attention should also be paid to where this data comes from. ESG data can be obtained through a variety of channels, often derived from individuals throughout the chain, which again brings the whole matter of GDPR to the table.

According to the EU’s Corporate Sustainability Reporting Directive (CSRD), large companies and listed companies must report on the ESG impact of their activities. However, a large company fulfills the ESG rules satisfactorily if its supply chains and cooperation partners do so sufficiently. Therefore, ESG is also important from the competition point of view.

These are just a few examples to demonstrate the relationship between personal data processing and ESG. Practice shows that procurement documents and supply chain rules require companies to comply with both GDPR and ESG, and this emphasis is sure to increase in the near future. Investors, procurers and subsidy deciders are increasingly interested in having the ESG model taken into account, and finally consumers and citizens are the ones who can pressure with their informed choices.

We at Hedman can definitely help you with personal data protection issues. Whether within the framework of ESG or not, every data processor must comply with GDPR requirements, and at some point this effort may prove to be very useful in complying with ESG rules.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum