The “Social” pillar of ESG is about how a company treats people, employees, customers and communities. In this regard existing UK data privacy laws provide people with greater control over, and rights in relation to, their personal data, which in turn has, and continues to, put pressure on companies to process such data lawfully, fairly, securely and transparently.  Hence, making data privacy a social issue as much as a legal one.

Transparent data practices foster trust internally and externally, which is an increasingly valuable asset in a digital economy.

In this sense, data privacy compliance isn’t just a legal checkbox, it’s a reflection of a company’s values. Responsible data handling is essential to establish and maintain the trust of, and long-term relationship with, customers, business partners, investors and employees. A well-documented, effective and visible data privacy governance framework will not only sustain regulatory compliance but also achieve positive social outcomes.

Cybersecurity is often seen as a technical issue, but it’s also a governance one. Boards and leadership teams are expected to oversee cyber risk as part of their fiduciary duties. And with the rise of ESG reporting, cyber resilience is becoming a key metric for investors and regulators alike.

Importantly, cybersecurity protects more than just personal data:

• Intellectual property
• Operational data
• Supply chain information
• Financial systems

A breach can disrupt operations, erode stakeholder confidence, and trigger regulatory scrutiny. That’s why cybersecurity should be embedded into ESG strategies, not just IT frameworks.

1. Integrate data privacy into ESG reporting

Include data protection metrics in your ESG disclosures, such as data subject rights requests response times and completion rates, personal data breach response times, or data privacy training completion rates.

2. Treat data privacy and cybersecurity as a board-level issue

Data privacy compliance and cyber security needs to be driven from the top, i.e. a board-level responsibility. Ensure data privacy and cyber risk is prioritised and regularly reviewed at senior level, with clear accountability and escalation paths and a well-documented and visible governance framework.

3. Adopt a Privacy by Design approach

Embed data privacy and security into business practices, processes and procedures, which means considering data privacy and security at the design phase of any system, service, product or process and then throughout its lifecycle.

4. Engage stakeholders

Communicate clearly with customers, employees, and partners about how their data is used and protected.

As ESG frameworks evolve, data privacy and cybersecurity are no longer peripheral, they’re central. They reflect how a company respects individuals, manages risk, and builds trust in a digital world. For legal teams, this is an opportunity to lead, not just in compliance but in shaping a more ethical and resilient business.