From Compliance to Sustainability to Generate Both Social and Financial Value

Paolo Balboni, Professor of Privacy, Cybersecurity, and IT Contract Law at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law
Kate Francis, PhD candidate at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law

22 October 2020
Maastricht, The Netherlands

The Fourth Industrial Revolution, driven by data and groundbreaking technological advancements, is pushing sustainability to the forefront of corporate strategies. The theme of the World Economic Forum (WEF) this year was “Stakeholders for a Cohesive and Sustainable World”. The aim of the WEF in defining stakeholder capitalism and working towards progress in the implementation of the UN’s Sustainable Development Goals together with the 2020 Davos Manifesto, “The Universal Purpose of a Company in the Fourth Industrial Revolution”, attest to contemporary centrality of sustainability in the global mindset. In the first quarter of 2020, according to research from Morningstar, 70% of sustainable equity funds recorded returns in the top halves of their broad-based peer group, and Morgan Stanley has shown that the numbers of millennials interested in sustainable investing is on the rise, clocking in at 95% interested and 67% actively investing in sustainable products.  

Also this year, the world’s largest hedge fund, BlackRock, announced that it would expand its USD 90 billion sustainable portfolio (ESG, or environmental, social and governance) to more than USD one trillion. This move towards “good” business practices is driven by the recognition that non-traditionally reported data, non-accounting data, play an important role in the reputational image and hence value of companies, bolstering their long-term performance.  In other words, more and more businesses are understanding that the creation of financial value is increasingly linked to societal value as consumers are progressively aware of and care about sustainable and fair business practices.

In this context, it is confirmed that personal data, the driving force of the digital revolution and global economy, and the practices surrounding its value extraction urgently necessitate an ethical and sustainable approach.  Albena Kuyumdzhieva, UM DPCSR Data Protection Stakeholder from the European Commission, notes that "The European strategy for data reaffirmed the notion of data as public good and underlined that ‘in order to release Europe’s potential we have to find our European way, balancing the flow and wide use of data, while preserving high privacy, security, safety and ethical standards.’  One of the steps in this regard will be to identify and address possible hindrances for data sharing and clarify the rules for the responsible use of data.” In information processing, organizations harnessing the great wealth that data has made possible should not only uphold the fundamental rights to privacy and data protection of individuals, as they are enshrined in the Universal Declaration of Human Rights, the Charter of Fundamental Rights of the European Union, the European Convention of Human RightsConvention 108+, and the General Data Protection Regulation, but also aim to positively contribute to society. This approach is one that requires regulation but at the same time asks businesses to go one step further than what the modern law requires, for both their long-term economic benefit and for the betterment of society, fostering sustainable data handling practices, such as those which form the basis of the Maastricht University Data Protection as a Corporate Social Responsibility Framework (UM DPCSR). [1] With the application of such a framework, sustainable data processing can also be included in ESG evaluations.

In the words of Data Protection Stakeholder Ellis Parry, Data Ethics Adviser, Technology and Innovation at the United Kingdom Information Commissioner’s Office: “As we stand on the brink of the Fourth Industrial Revolution realising the full potential of the data driven economy and distributing the societal dividend fairly involves considerations of how organisations can behave ethically. While organisations have good reason to adopt ethical decision making processes and governance structures they can struggle to conceive how to achieve this without stifling innovation. The goal of the Information Commissioner’s Information Strategic Rights Plan is to create a culture of accountability and transparency and explain the role data protection can play in encouraging innovation - the UM DPCSR does just that. The GDPR’s principles of ‘accountability’, ‘fairness’ and ‘transparency’ form the foundational elements of the framework helping organisations design, develop and successfully operationalise ethically principled decision making in a measurable, repeatable and consistent manner. I have enjoyed working with the ECPC on the DPCSR framework building on those foundational elements to provide organisations with a useful, full and practical toolkit which they can deploy to unite the goals of data protection compliance, societal good and sustainable revenue within their organisation’s governance and processes for the benefit of all.”

The UM DPCSR project aims to successfully translate theoretical ethical principles into tangible and practical guidelines to build a solid framework for organizations to apply in order to foster transparency, accountability, fair, secure and sustainable data processing activities that positively contribute to the greater good. In a world where the conceptualization of data protection is seen as an asset that positively contributes to the bottom line of companies, the next logical step in the evolution of data protection and privacy governance is in fact the transformation of fundamental ethical and social concepts into something that concretely benefits all stakeholders, both internal and external to the organization. Dr. Prokopios Drogkaris, Network and Information Security Expert at the European Union Agency for Cybersecurity (ENISA) and Data Protection Stakeholder highlights the potential of the project, noting,  “I was privileged to follow the progress of the project as a member of the Stakeholder Group. I look forward to witnessing the outcomes of this initiative being adopted and deployed by organizations towards the realization of data protection as corporate social responsibility.”

As the first year of the two-year project enters the fourth quarter, the requirements of fifteen implementable rules, three for each of the five DPCSR Principles, are well under development. It is our objective that organizations will adopt the framework and implement the best practices for sustainable data processing contained therein in order to actively contribute to the propagation of ethical data processing that supports humanity in the data-driven world. Munish Ramlal, Head of System Supervision at the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) “encourage[s] this research project which promotes ethical data processing that supports humanity in the data-driven world. I very much hope that the Maastricht DPCSR framework can be a ‘thinking before processing’ toolkit. A practical framework that helps companies in the new digital economy to process (personal) data in a legitimate, fair and transparent way.”


"Data is the lifeblood of decision-making and the raw material for accountability” (United Nations) and its potential in this sense should be taken advantage of in order to provide benefits for all of society. ECPC Director Cosimo Monda is “particularly proud that our Centre is actively contributing with this groundbreaking research project in order to improve our data-driven economy and society”.  
Our Research Project is effectively furthering sustainable data processing activities for the future digital society and economy because more than ever, in the midst of a global health pandemic and economic turndown, the time to make a positive difference is now!

 [1] The DPCSR project of the European Centre on Privacy and Cybersecurity (ECPC) at Maastricht University is a two-year multi-stakeholder research project that commenced in January 2020 and involves both Data Protection and Business Stakeholders. During the first year of the project the researchers have concretized three rules for each of the Five Principles of Sustainable Data Protection previously identified by Dr. Paolo Balboni and explored during his inaugural lecture. The second year of the project will consist of expanding to five rules per principle, for a total of 25 rules, which will form the basis of the UM DPCSR Framework. The research project is being developed according to the highest academic and ethical standards in full independence. It is intended to benefit of the rights and freedoms of individuals by way of the establishment of data protection practices that are socially responsible and feasible, and which shall be agreed upon and adhered to by the Stakeholders.