On Tech Ethics Podcast – Importance of Data Privacy Compliance and ESG Reporting

To easily navigate through our podcast, simply click on the ☰ icon on the player. This will take you straight to the chapter timestamps, allowing you to jump to specific segments and enjoy the parts you’re most interested in.

1. Introduction to Katrina Destrée (00:00:03) Daniel introduces Katrina, a privacy and sustainability professional, and outlines the episode’s focus.
2. Katrina’s Background (00:01:10) Katrina shares her experience as an independent consultant in data privacy and ESG reporting.
3. Importance of Data Privacy Compliance (00:04:49) Katrina explains data privacy compliance as vital for enterprise risk management and building digital trust.
4. Real World Privacy Issues (00:07:09) Katrina highlights key privacy issues organizations face regarding data use.
5. Ensuring Data Privacy Compliance (00:08:47) Katrina discusses steps organizations can take to ensure compliance with data privacy laws and regulations.
6. Importance of ESG Reporting (00:12:02) Katrina elaborates on ESG reporting and its significance for stakeholders and responsible business practices.
7. Managing ESG Reporting (00:14:48) Katrina explains how ESG reporting is managed within organizations and the roles involved.
8. ESG Best Practices (00:16:56) Katrina recommends engaging with associations to learn best practices for ESG reporting.
9. Resources for Data Privacy and ESG (00:18:09) Katrina shares resources for further learning about data privacy compliance and ESG reporting best practices.
10. Final Thoughts on Data Privacy and AI (00:20:40) Katrina reflects on the rising importance of data privacy and its connection to responsible AI practices.

Daniel Smith: Welcome to On Tech Ethics with CITI Program. Our guest today is Katrina Destrée, who is a globally experienced privacy and sustainability professional. Katrina’s work in privacy and sustainability focuses on privacy programs, environmental, social, and governance or ESG reporting, awareness and training, and strategic communications. Today we are going to discuss data privacy compliance and ESG reporting.

Before we get started, I want to quickly note that this podcast is for educational purposes only. It is not designed to provide legal advice or legal guidance. You should consult with your organization’s attorneys if you have any questions or concerns about the relevant laws and regulations that may be discussed in this podcast. In addition, the views expressed in this podcast are solely those of our guest. And on that note, welcome to the podcast, Katrina.

Katrina Destrée: Thank you, Daniel. Thank you so much for having me. It’s a pleasure to be here.

Daniel Smith: Absolutely. And I’m really looking forward to learning more about data privacy compliance and ESG reporting. So can you first tell us more about yourself and your work in data privacy and ESG?

Katrina Destrée: Sure. Well, they’re two areas that I really enjoy working in, and I have been working as an independent privacy and ESG consultant. And I’m also an IAPP faculty member teaching the IAPP’s Privacy Program Management training program that can be had online or in person. And on the ESG side, which is how I came to data privacy, I’ve helped organizations see how their data practices can either strengthen or weaken their ESG submissions, especially in the governance side.

So ESG stands for environmental, social, and governance, and it really helps an organization understand their environmental and their social impact. You can see the submissions and the result of organizations’ efforts in their sustainability reporting. And oftentimes now they’re called the ESG reports. They’re annual reports, and they help stakeholders understand the efforts that organizations have made in various programs and efforts to help manage their risks.

And they describe their business practices, and they enable stakeholders to understand how their expectations have been met and how organizations are actually performing on their commitments. So these types of exercises really illustrate organizations’ commitments to better position their activities and respond to their stakeholders’ expectations. So my work in sustainability began, oh, I believe about 15 years ago, and I was working with an organization called the Global enabling Sustainability Initiative, which is also called GeSI.

So GeSI is a multi-cross-industry sustainability organization. It’s international, and it’s based in Brussels. And it helps with cross-industry sustainability initiatives, creating and enabling digital solutions. And with GeSI both working with the organization and a member company, I worked on a materiality assessment. So materiality is a tool that helps organizations represent and understand their activities in various areas of importance for their business operations and also stakeholder expectations.

And when we’re working on materiality assessments in sustainability, I saw in the area of ethics and compliance the issue of data privacy and protection rise in prominence. So this really began to happen about a decade ago, and it piqued my interest in the area of data privacy and protection. And that’s what led me to my current work in data privacy. So oftentimes I’m asked about the connection between the two, and this happens particularly because I’ve found that privacy pros and sustainability pros are quite passionate about their work and they’d like to know the connection.

And I have found that the answer can be found in materiality assessments because you can see of all the issues that an organization can be looking at in terms, again, of their operational success, what makes them go forward, as well as what their stakeholders are expecting, you can see this area of data protection and privacy rise. And so that’s the area of connection that I have found.

Daniel Smith: Thank you, Katrina. I think that lays a very good groundwork for our listeners today. And now I want to dig a bit deeper into both data privacy compliance and ESG reporting. So first, I’m going to go through data privacy compliance. So can you describe just in general the importance of data privacy compliance for organizations?

Katrina Destrée: Absolutely. Well, data privacy compliance is a part of the larger enterprise risk management efforts. So organizations rely on personal data. So privacy, first of all, is concerned with personal data and also control over that personal data. And all organizations need personal data. So you need personal data to create the products to respond to services that our customers are expecting and also just to operate. So we all need this personal data.

But using it properly and in a responsible manner also means complying with the expectations of the laws and the regulations that those organizations would be subject to. So that’s really the importance of privacy compliance for organizations. And it’s also very important to generate what we call digital trust. So digital trust refers to the confidence level that individuals whose data it belongs to have in the organizations that are processing their personal data.

So I mentioned that we all this personal data, we also want to have confidence in how it’s being processed. And that is so important because once confidence is weakened or lost, it’s really a distraction. I consider it a business distraction. It’s also very difficult to get back. If we think about from the private sector, it’s hard enough to acquire a customer. And then if you lose that confidence in how the personal data is being processed, it’s double work to go back and get the customer again.

But it’s also in the public sector, you have expectations on how your private personal data is being processed, so you don’t want to lose the confidence there either. So you really need the digital trust. And I would like to say suggest another organization that I’m familiar with and that’s ISACA. That’s a security professionals organization, and they’ve done a lot of work in the area of digital trust as well.

Daniel Smith: So going off of that a bit, in order to foster that digital trust in the proper and responsible use of data, can you share a few real world examples of potential privacy issues that organizations may encounter so that our listeners can better anticipate and address potential issues that may come up in the future?

Katrina Destrée: Yes, I can actually summarize it into one word being surprised. So when I respond to this question in my presentations, there’s one image that I like to include, and it’s of this person who is just so shocked, his hair is standing. He’s exploding, and his face is like with complete wild shock of an expression. And I say, this is a person who is surprised, and this is what you do not want.

This is a real world example when your data subject who has entrusted you with their personal data is now surprised on how it’s being used. And so this is a real world example. When the person could be surprised, they make an inquiry to the company, to the organization, and they’re asking, how, why, what, where, please delete, tell me more, I’m upset. So this can take many forms and this is something that organizations really need to be aware of and be competent to adequately respond to.

So this is a real world example. You can have the input from a variety of people in a variety of sectors, in a variety of organizations say, oh my goodness, yes, this is a real world example of person being surprised that their personal data was being used in a different way than they anticipated or that they agreed to.

Daniel Smith: So in order to help avoid those surprises, can you talk a bit about how organizations can ensure data privacy compliance?

Katrina Destrée: Yes. Well, first of all, organizations need to understand which laws and regulations apply to them. So that is the part about data privacy compliance. And it can be either jurisdictional or it could be sectoral, a combination of both. Organizations also need to know what kinds of data they’re processing. So levels of sensitivity, they understand the data classification, the data categories.

They also need to know where it is. We’ll call that data mapping, which is definitely very challenging to do. They need to have policies. They need to have standard operating procedures. They need to have people understand where they are. Also, not always easy. So yes, we have these, but where are they? And the fact that they are updated regularly and that there’s a level of oversight.

So there might be statements made about how data is processed responsibly, but also how it’s being audited, how there are metrics. And very important, that there’s executive support for privacy programs so that the activities and the initiatives can go through smoothly, that can actually be implemented. And you can really guide the progress that you’re anticipating having that would represent your endeavors in this area.

So privacy compliance though is the baseline. I like to say it’s not just saying, yes, we’ve stopped at the red light. I mean, that’s not an accomplishment. We’re supposed to do that, right? So it’s more about demonstrating beyond compliance that there has been a real representation and a promise to respect the person’s personal data. That’s about being transparent about your policies in your external facing privacy notice.

Oftentimes that’s called a privacy policy, but the point is being transparent and communicating what personal data you plan to process and for which purpose you plan to process and how the person can understand more. So it’s an overlying sense of clarity. And these reflect overarching privacy principles on how personal data is being processed.

Justin Osborne: I hope you’re enjoying this episode of On Tech Ethics. If you’re interested in hearing conversations about the research industry, join me, Justin Osborne, for CITI’s other podcast called On Research – with CITI Program. You can subscribe wherever you listen to podcasts. Now, back to the episode.

Daniel Smith: That’s all really helpful. And later I’m going to ask you about some additional resources where listeners can learn more about these different issues that you’ve just brought up and these different ways that organizations can ensure data privacy compliance. But first, I want to shift gears to talk more about ESG reporting. So to start, can you describe the importance of ESG reporting for organizations? I know you touched on this a little bit in your introduction, but if you can elaborate on it some more, that would be wonderful.

Katrina Destrée: Sure. So ESG, again, it stands for environmental, social, and governance, and it’s looking at how the activities of an organization are impacting the environmental and the social environments in which they operate, and looking at how the organizations are having responsible business practices. This is especially important for stakeholders. And let me elaborate on what I mean by stakeholders. So stakeholders can be internal, meaning your employees.

They can be external meaning regulators, investors, media, NGOs, non-governmental organizations, your customers, your suppliers. Any of these stakeholders can have expectations on how your organization is operating and if you are meeting these expectations. So ESG reporting, it enables an organization to use standards and frameworks, and there are several out there, to demonstrate in a unified way, in a way that can be understood, here’s what we are doing.

ESG reporting is about answering series of questions, so there’s a narrative part, and then there is an option to submit artifacts or evidence to demonstrate, yes, this is what we are doing. And oftentimes these submissions are public. So you can see an organization’s website find our ESG annual report or find our sustainability report. And so it really is an external representation saying, here’s what we have said we are going to do, here’s how we’re doing it, here’s why it’s important.

So it’s recognizing that an organization is not just existing in a vacuum, that it’s really making an impact in these particular areas. It’s impacting environments in which organizations operate. It’s impacting the social aspect as well. People are involved. And it’s also impacting their ability to manage their information, so that’s data, personal data, et cetera, their governance practices.

And that’s really the connection with data privacy is their governance, how they’re managing this data. So the reporting is really very important to make that representation that things are being handled in a responsible manner.

Daniel Smith: So in practice, how does ESG reporting work? Who typically manages this within organizations and where are these reports being submitted to?

Katrina Destrée: Well, it really depends on the size of the organization. So if you have a very small organization, then that can fall under the communications department who’s handling that external communications. Reporting isn’t a communications exercise. So you’re gathering input from around the company and then you are reporting. So that’s going to fall in the communications, but it’s really a cross-functional exercise.

So you’re reaching out to these various departments, and you’re requesting information from these departments, and then you’re synthesizing it. And you are again responding to the standards and the frameworks that you have chosen to follow and reporting it out. For a larger organization, you might even have an entire department. For example, the corporate social responsibility department or the sustainability department, and they would be handling that reporting exercise.

It is quite an undertaking. It can take close to a year to reach out to the different departments, determine how the activities correspond to the standards and the frameworks which you are following, and what exactly you want to report and provide evidence. And make sure that it’s been vetted and that it’s accurate and that it’s current and it’s meeting the performance targets that you might have set forward the previous year. So that’s what it entails.

And it’s basically following a questionnaire that can be towards your sector. It can be cross industry. It can reflect the size of your business. It can reflect your jurisdiction. There are a number of reporting frameworks out there as which ones you choose. Sometimes you can choose one or more, or increasingly more popular is the integrated reporting aspect. So you choose a particular framework set of standards. You say this will actually help respond to several reporting standards and frameworks out there.

Daniel Smith: That’s really helpful. So in addition to the reporting, are there other ESG best practices that our listeners should be aware of?

Katrina Destrée: Absolutely. I would encourage going to associations, so whatever association your organization might be affiliated with, to understand how basically your peers are reporting and to understand their particular experiences and best practices and learn about performance targets. So I’ve mentioned GeSi, the Global enabling Sustainability Initiative, and GeSi has the Digital with Purpose initiative as well. It’s part of GeSi.

They have a separate website. And that looks at how organizations have actually met their performance targets. It’s one thing to say, “Here’s what we aim to do,” it’s another thing to say, “We have done it. Here’s how we are tracking.” And so that helps when you feel that you’re not operating just by yourself and you can understand best practices and make it more of an industry effort. And that’s beneficial from a number of perspectives.

Daniel Smith: In terms of recommendations for both data privacy compliance and ESG, do you have recommendations for additional resources where listeners can learn more about both of these topics?

Katrina Destrée: Yes. So I will mention some resources, and I also wanted to mention some specific examples on how there is this connection between data privacy and ESG reporting, which I’ll do now. So when it comes to these governance indicators and how an organization can demonstrate responsible practices with regard to their data privacy activities and data protection activities, there are some indicators that would say, what are the number of incidents or breaches or the financial implications of each in the area of data protection and privacy that an organization has faced?

There are surveys used to access diversity indicators, and there we encourage the practice of using aggregate data, so that it’s not revealing unnecessary personal indicators. That it really has been aggregated for that particular purpose of reporting trends, and you don’t compromise the personal integrity of the personal data. And then also demonstrating your policies and procedures that you are responsibly processing personal data.

So these three areas are examples on how an organization can demonstrate their responsible business practices in the area of data protection and privacy, which falls under the governance side of the ESG reporting. So as far as additional resources for each, because we’re making that connection between data privacy and ESG, on the privacy side, I would recommend visiting the IAPP website, International Association of Privacy Professionals. That’s the IAPP.org.

And I would also recommend ISACA, I-S-A-C-A.org, for the security side, and as I mentioned earlier, digital trust work. Another organization that I have mentioned is GeSI. That’s G-E-S-I.org. And then to learn more about how I’ve made the connection between the two, agreaprivacyesg.com.

Daniel Smith: Wonderful. And I’ll certainly include links to those resources in our show notes. And my final question for you today is, do you have any final thoughts that we’ve not already touched on?

Katrina Destrée: Yes, I do. Upon reflection about how I’ve seen data privacy and protection rise in prominence, as I’ve mentioned, the past decade, that’s when I’ve seen data protection and privacy really rise in terms of importance of all of the areas for businesses and organizations to consider in their materiality assessments, what is impacting their business operations and what their stakeholders are expecting from them to operate in a responsible manner.

I now am very interested to see how AI-responsible business practices also rise in prominence. So I think that organizations will be looking at this and that it’s going to become part of our ESG and sustainability reporting metrics.

Daniel Smith: Absolutely, and I think that that is a great place to leave our conversation for today. So thank you again, Katrina.

Katrina Destrée: Thank you so much, Daniel, for having me. It’s been a pleasure.

Daniel Smith: I also invite everyone to visit CITIProgram.org to learn more about our courses, webinars, and other podcasts. Of note, you may be interested in some of our data privacy related content, such as the GDPR in Research and Higher Ed course, as well as the Essentials of Responsible AI and Big Data and Data Science Research Ethics courses. And with that, I look forward to bringing you all more conversations on all things tech ethics.