Corporate Social Responsibility (CSR) Project

The Research

Our objective at the European Centre on Privacy & Cybersecurity (ECPC) is to trigger virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as an asset which can be used to help companies to responsibly further their economic targets. This can be accomplished through the development of a new dimension of data protection that goes beyond legal compliance, transforming data protection into a new form of Corporate Social Responsibility (Data Protection as a Corporate Social Responsibility). 

The Project

The Maastricht University Data Protection as a Corporate Social Responsibility (UM-DPCSR) Project successfully translates theoretical ethical principles into tangible and practical guidelines to build a solid framework for organizations to apply in order to foster transparency, accountability, fair, secure and sustainable data processing activities that positively contribute to the greater good.

The Project at the European Centre on Privacy & Cybersecurity has a duration of two years (2020-2021) and aims to foster virtuous compliance that goes beyond what is strictly prescribed in the law.

The Outcome

Preliminary research led us to identify five key high-level principles of the Maastricht University Data Protection as a Corporate Social Responsibility Framework and a draft Framework consisting of fifteen rules that accompany the five principles.

ECPC continues to advance the research process and is working to develop further concrete, measurable and translatable guidance for organisations in order to answer the following questions: 

•  What are the fundamental requirements of socially responsible data processing activities?
•  How can companies reconstruct Data Protection into an effective CSR framework?
•  What are the benefits for companies that embrace data protection as a CSR?

Timeline

The first phase of the Project (Phase 1), going from 5 principles to 15 rules, commenced in January 2020 and ended in December 2020.

The second phase of the Project (Phase 2), going from 5 principles and 15 rules to 25 rules, commenced in January 2021 and ended in December 2021.

On 16 March 2022, the first official output of the UM-DPCSR project was made available on the ECPC website.

On 14 March 2023, the first meeting of the UM-DPCSR Permanent Stakeholder Group was held online. Throughout 2023, Data Protection, Intergovernmental, Educational, and Business Stakeholders met to discuss the specific controls we consolidated after the conclusion of the research project. 

On 6 September 2023, the European Centre on Privacy and Cybersecurity held the “Data Protection as a Corporate Social Responsibility (DPCSR): A Digital Pact for Privacy and Cybersecurity as Social Responsibilities” event at the Maastricht University Faculty of Law. ECPC also launched the Digital Pact for Privacy and Cybersecurity as Social Responsibilities which was signed by nearly 40 individuals at the Chateau Neercanne in Maastricht. 

In December 2023, “Data Protection as a Corporate Social Responsibility”, a book which critically analyses the current state of data protection enforcement and proposes the new auditable Data Protection as a Corporate Social Responsibility Framework authored by Paolo Balboni and Kate Francis, was published by Edward Elgar. 

From February 2024, the Permanent Stakeholder Group meetings will recommence. 

In June 2024, the first UM-DPCSR Coordinator and Auditor Courses will be held in Maastricht.