The 2021 Global Risks Report highlights climate change and data governance as key megatrends. Cybersecurity and digital security are indeed bound to have knock-on impacts in the short term, while IT infrastructure and tech governance failure should prove determinant in the longer run. The last 2 years in particular have additionally witnessed a leap in terms of hyperconnectivity, with new patterns of consumption, investing, work and education, revising fundamental understandings of risk and privacy. This is especially true of successful vaccination programs and the inevitable corollary disclosure of personal and sensitive health data.
Cross-border data-related disruptions disproportionately impact emerging economies because of their generally lesser geopolitical stability. As such, they pose new risks for investors and business owners alike. The Colonial Pipeline attacks for instance resulted in system shutdowns, causing major issues to both IT and OT security. The sector as a whole faces system exposure to a slew of cyber risks, compounded by the fact Big Tech is inherently tied to disruption.
This materializes in the rising cost of addressing cybersecurity breaches, litigation liabilities and regulatory fines. Though cyber spending is increasing at a compound annual growth rate between 7.7 and 14.5% between 2020 and 2026, markets (as well as the underpinning solutions or products) remain fairly underdeveloped. It follows they run the risk of ethics-washing. Many insurance policies indeed do not cover cybersecurity, exposing insurers to a heightened risk of cyber-related crimes.
That is precisely why Data Governance is poised to become the next ESG battleground. Indeed, there have been talks around future-proofing various ESG disclosure frameworks by including issues pertaining to data and formalizing recommended metrics.
The business case for ESG and Data Governance
Data Privacy As A Key ESG Concern
The EU’s proposed Human Rights Due Diligence directive is expected to demand a 360-degree value chain assessment. In other words, it would mandate information disclosure across all supply chains. With that in mind, local stakeholder engagement is an important pillar in risk mitigation and impact tracing. The directive would target companies whose supply chains span different geographies but lack robust human rights due diligence – potentially causing major regulatory and reputational risks.
Within this broader landscape, data governance is emerging as a key aspect of ESG materiality issues. Cognizant of the emerging risks and opportunities tied to data, organizations like the Ada Lovelace Institute are defining principles of accountability, responsibility, equity and ethics in relations to data innovation. For example, the Indian biometric ID system, Aadhaar, compiles the data of over 1.31 billion people and became the first of its kind to standardize and digitize its processes. As such, it has faced major criticism from civil society organizations – for failing to verify consent of its choice for technology.
Cybersecurity As An ESG Concern
With the cost of data breaches reaching almost $4M per company (globally) in 2020, cybersecurity impacts an increasingly broader demographic. That concern only got worse as a result of the Covid-19 pandemic, with the related rise of remote working further increasing total costs by $137,000.
Unprotected information networks could indeed have a material impact on relevant industries like IT, consumer, financial and communication services. While cyberattacks clearly affect the bottom line, data breaches more broadly impacts organizations’ reputation and share price – an issue that is still being assessed and debated as we speak.
As a key ESG concern, cybersecurity also runs counter to a growing body of regulation and legally-binding due diligence requirements. The issue therefore lies in pushing for more granular non-financial disclosures to specifically target data governance. In other words, regulators and private players will need to align on the best way to embed data-related issues within ESG frameworks.
Zeroing in on India’s Data Governance and ESG Investing
The above-mentioned risks and ESG concerns take on a whole new meaning in emerging economies. Their jurisdictions are still in the process of implementing data protection laws and ecosystems. The role of policy, technical experts and advocacy groups is therefore pivotal in shaping an ecosystem that will not simply replicate that of the developed world and rather operates in a manner relevant to their specific contexts – while playing to their strengths.
To put things in perspective, we zero in on India and its evolving data protection mechanisms. The issue could be summarized as addressing two key blind spots: implementing data protection laws and embedding the resulting data governance in ESG risk-ratings.
Implementing Data Protection Laws
2021 saw a surge in cybercrime, exacerbated by the pandemic and exemplified by the Pegasus Project scandal. India indeed reported a 11.8% rise in cybercrime in 2020 along with 578 incidents of ‘fake news on social media’. Echoing the rise in international data quality compliance requirements, the country issued a draft for a Data Protection Bill in December 2021. Debates had been tabled, with criticism to the initial proposal that its scope be limited to personal data. In any case, the goal was to create an omnibus data protection law fully interoperable with the GDPR and UK’s Data Protection Act (among others).
This initial Personal Data Protection draft includes the following key elements:
The key objection arose around the role of the State in data governance as well as proposed exemptions for Government agencies on data sharing. Experts and civil society organizations notably recommended oversight on both public and private sectors, stronger antitrust and ex-ante clauses as well as new structures of data trusts. They argued such tools would indeed facilitate responsible innovation. Thanks to their mobilization, the bill also covers both personal and non-personal data.
Embedding Data Governance In ESG Risk Ratings
ESG investing is a polarized topic in India. As in many of the emerging economies (barring China), the country’s response was at best lukewarm – both in terms of ESG risk ratings and passive stocks and funds. Overseas funds like the UK-based Stewart Investors India Subcontinent Sustainability Fund cited India’s relatively small carbon footprint (at least compared to the US and the EU) as a factor of its market attractiveness. Like others, it mainly focuses on low-carbon technologies and renewables, whereas cybersecurity and data governance are still not regarded as high priorities in local corporate agendas.
In 2021, however, the Securities and Exchange Board of India (SEBI) issued a circular implementing new sustainability-related reporting requirements for the top 1,000 listed companies by market capitalization. In so doing, it aimed to promote transparent, standardized disclosures on ESG parameters and sustainability-related risks and opportunities among listed companies in India. Despite a fairly limited scope and vague remit, one of its sections is in fact devoted to consumer complaints regarding data privacy and cybersecurity. A joint effort, this circular nevertheless offers investors from across the board with a great opportunity to recommend and vote to extend companies’ sustainability remits around data governance.
Signaling the urgency of addressing the underpinning data governance structure, India aims to double its data center industry capacity by 2023 (from a 499 MW IT load to a 1007 MW IT load). The country indeed presented its Union Budget for 2022-2023, which includes granting data centers infrastructure status in order to ease sector-wide financing. This notably involves facilitating data centers’ access to foreign funding through the external commercial borrowing route, which further drives home the importance of aligning national and international standards, regulations and methodological frameworks.
Conclusion: Fostering Responsible Innovation Through Data Governance
Local stakeholder engagement is an important pillar in risk mitigation and impact mapping – both in terms of Human Rights due diligence and supply chain resiliency. In the face of a boom in digital services, particularly among emerging economies, the data ecosystem demands greater scrutiny.
Another key factor specific to emerging economies lies in a fairly low data literacy, stressing the need to tap into local data, privacy and consent frameworks to model innovation from the bottom up. As such, here are key questions for investors, business owners and policy-makers to address in relations to data governance in emerging economies:
- What are key sustainability or ESG metrics to measure impact in a manner relevant to emerging economies?
- How can the landscape of local stakeholders be mapped in order to better ascertain related risks and opportunities?
- What is the role of third-party players and public-private collaborations in developing a supportive ecosystem?
- What are the relevant financial instruments, funds, grants and investments for that purpose?
In short, what is currently being redefined is our understanding of what responsible innovation should look like. From there, it stands to reason we will collectively need to formalize the means to adapt the underpinning ecosystems and governance to emerging economies’ contexts.