Data ethics and digital sustainability: Bridging legal data protection compliance and ESG for a responsible data-driven future

Abstract

Despite being the most comprehensive data protection law in the world, Europe's General Data Protection Regulation (GDPR) has failed to ensure that data is processed in an ethical and sustainable manner. This is because the law does not regulate what is good and even lawful activities may lead to harms. At the same time, data ethics requires clear guidelines that can be adopted by organizations. To address this, the authors propose situating data protection within the Corporate Social Responsibility (CSR) and Environmental, Social, and Governance (ESG) paradigms. This incentivizes the adoption of ethical practices thanks to the potential for organizations to improve their ESG ratings. To this end, the Maastricht University Data Protection as a Corporate Social Responsibility Framework is provided as a solution. The Framework provides actionable and auditable controls with the ultimate aim of promoting responsible data practices that benefit not only businesses, but also individuals and society.

Novelty and contribution to knowledge: This paper builds upon the work illustrated in Data Protection as a Corporate Social Responsibility (Edward Elgar, 2023) to provide an overview of the need for taking an ethical approach to data protection and cybersecurity compliance. It provides new insights into the relationship between ethics and data protection law and makes new connections between ESG and data protection. Essentially, it delves deeper into the potential for framing data protection under ESG to act as an incentive for virtuous data protection compliance to be achieved by companies.