ESG: One more reason to take data protection seriously

ESG

Environmental, Social & Corporate Governance (ESG) may not yet be on everyone's lips, but it is increasingly making a name for itself in Germany. It is a relatively new approach to assessing the extent to which companies are committed to goals that go beyond maximizing profits for their shareholders, owners, stakeholders, etc.. These objectives include, for example, certain environmental targets, support for certain social movements and whether the company is managed in a way that promotes diversity, equality and inclusion. ESG requirements also place important demands on the handling of data. Companies are therefore also measured by how carefully they handle the sensitive data of their employees, customers and partners. But what should companies be guided by to ensure that they comply with the data protection aspect of ESG?

TRADE SECRET PROTECTION ACT (GESCHGEHG)

The German Trade Secrets Protection Act (GeschGehG), which has been transposing corresponding EU directives into German law since 2019 and legally defines what constitutes a trade secret for the first time, provides good guidance. Among other things, the definition includes the provision that a trade secret only exists if the company has taken appropriate confidentiality measures. Therefore, if a court judges the confidentiality measures to be inadequate in the event of data theft, a company is not entitled to prosecution because the data is not a trade secret in the legal sense. If trade secrets, i.e. ultimately data, are not sufficiently protected against criminal access, there is a risk of reputational damage in addition to financial loss.

GDPR

In addition to the GeschGehG, the most well-known legal requirements for the careful handling of data result from the General Data Protection Regulation (GDPR) together with the Schrems II ruling. According to this, companies may only transfer personal data to non-European cloud services if they take appropriate technical measures to protect this data from unauthorized access by third parties. This primarily refers to unauthorized access by non-European countries. The European Data Protection Board (EDPB) is even more specific and mentions the encryption or pseudonymization of data before it is transferred to the cloud as an adequate measure to achieve GDPR compliance.

DATA ENCRYPTION HELPS

Encrypting and/or pseudonymizing data before it leaves the protected corporate environment proves to be the best way to avoid severe penalties for a breach of the GDPR. Because it is the strongest technical measure for protecting data, encryption is also the method of choice when it comes to protecting yourself under the GeschGehG and complying with the ESG data protection requirements. The latter are also becoming increasingly important for German companies.

Any IT security strategy that is even halfway realistic must acknowledge that there can be no absolute protection against unauthorized access to data. Even technically extremely advanced companies can fall victim to headline-grabbing cyber attacks, especially as criminals are increasingly exploiting human weaknesses to gain access to IT systems. The only technical measure that can arm a company against human weaknesses is cryptography. Even encryption cannot prevent sensitive data from falling into the wrong hands. However, it ensures that the stolen data is worthless to criminals and foreign states because it is unreadable.

ANOTHER REASON

Ultimately, the ESG trend does not place any new demands on data protection, but simply provides one more reason to encrypt sensitive data. As the strongest technical measure for data protection, encryption also offers future security. In other words: you can't get any better!

Disclaimer:
Insofar as this document contains legal explanations and advice, this constitutes non-binding information without any guarantee of completeness or accuracy. In this respect, it does not constitute legal advice and Eperi GmbH does not claim to represent or even replace such advice.