Privacy and data protection are most often associated with compliance with the relevant legislation. However, once data protection laws such as GDPR start promoting certification and acknowledge that technological reality inevitably limits one’s privacy: Corporate Social Responsibility (CSR) starts to kick in.
Global Reporting Initiative (GRI) G4 set of CSR indicators includes Consumer Privacy among the aspects and indicators under Product Responsibility. Similarly, OECD Guidelines for Multinational Enterprises direct MNEs to respect consumer privacy and take reasonable measures to ensure the security of personal data that they collect, store, process or disseminate.
The difference between compliance and CSR
Although the views on what exactly CSR is differ (in some places, sadly, certain companies even present their mere compliance with local laws as CSR), it is generally recognised that CSR means going the extra mile from what is legally required. For example, obtaining consent to process personal information might sometimes not be required, however, giving the consumer the chance to opt-out might be considered good practice in the same circumstances.
Why go beyond compliance?
One can identify two key reasons why going beyond mere compliance may be a good idea when it comes to privacy. First, as it is with all CSR, excelling in treating your consumers and other stakeholders could help you sell more. Second, and perhaps more critically, in a technologically complex environment, privacy issues are often not clear cut. A strong commitment to privacy can help a company maintain a better relationship not only with its consumers but also with the regulators and other stakeholders (e.g. the media or bloggers). Such relationships might prove to be valuable in cases of minor data breaches or compliance slips.
How does privacy as Corporate Social Responsibility manifest itself?
A company that has included privacy and consumer data protection into its CSR agenda will normally do the following:
- enable opt-out or, where this would adversely affect user experience, clearly explain the company uses of consumers’ personal data;
- involve company Data Protection Officer in high-level decision-making processes before new methods of data processing such as Big Data analytics are introduced in relation to users’ personal data.