CSR project

Developing a New Dimension of Data Protection as a Corporate Social Responsibility (DPCSR)

Mixed methodology research project with Stakeholder involvement

In our data-centric global economy businesses need to consider privacy and data protection as assets rather than simply compliance obligations. It has already been demonstrated that a strategic and accurate approach to data protection can generate a significant return on investment (ROI).

The Research

Our objective at the European Centre on Privacy & Cybersecurity (ECPC) is to trigger virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as an asset which can be used to help companies to responsibly further their economic targets. This can be accomplished through the development of a new dimension of data protection that goes beyond legal compliance, transforming data protection into a new form of Corporate Social Responsibility (Data Protection as a Corporate Social Responsibility). 

The Project

The Maastricht University Data Protection as a Corporate Social Responsibility (MU DPCSR) Project successfully translates theoretical ethical principles into tangible and practical guidelines to build a solid framework for organizations to apply in order to foster transparency, accountability, fair, secure and sustainable data processing activities that positively contribute to the greater good.

The Project at the European Centre on Privacy & Cybersecurity has a duration of two years (2020-2021) and aims to foster virtuous compliance that goes beyond what is strictly prescribed in the law.

The Outcome

Preliminary research has led to the identification of five key high-level principles of the Maastricht University Data Protection as a Corporate Social Responsibility Framework and a draft Framework consisting of fifteen rules that accompany the five principles.

ECPC is now advancing in the research process and  working to develop further concrete, measurable and translatable guidance for organisations in order to answer the following questions: 

  •  What are the fundamental requirements of socially responsible data processing activities?
  •  How can companies reconstruct Data Protection into an effective CSR framework?
  •  What are the benefits for companies that embrace data protection as a CSR?


The first phase of the Project (Phase 1), going from 5 principles to 15 rules, commenced in January 2020 and will end in December 2020.

The second phase of the Project (Phase 2), going from 5 principles and 15 rules to 25 rules, commenced in January 2021 and will end in December 2021. The kick-off meeting with Stakeholders for Phase 2 is scheduled to take place in March 2021. 

This Research Project is the natural continuation of what was anticipated by Professor Paolo Balboni in his inaugural lecture entitled “Personal Data Protection as a New Competitive Edge: Generating Socially Responsible Corporate Behaviour”.

  View the inaugural lecture here

If you are interested – as Stakeholder – in participating in or knowing more about this research project, please contact Prof. Paolo Balboni