Companies routinely collect personal information on their clients and users. This data is used for various purposes, such as analytical insights, client contact and targeting paid advertisements. As custodians of personal data, companies play a critical role in ensuring the data is kept safe and not used for nefarious purposes.
Protection of personal data is a fundamental right linking to SDG target 16.10: ‘Protect fundamental freedoms.’ SDG target 16.10 calls for ‘public access to information’. In this regard, it is important for stakeholders to know about data breach incidents to better understand risk and how companies are dealing with it. Both the GRI and SASB global reporting frameworks recommend that companies should disclose the number of data breaches they experience.


Research Guidance:

The companydiscloseswhether it has experienced breaches of customer privacy, including relevant details where applicable. To meet this element, the company must either report on breach incidents or clearlystatethat no breaches occurred during the reporting period.
The company mustdisclosethe following three items: number of data breaches that occurred, number or percentage of those breaches that involved personal data, number of accounts or users affected by breach(es). Best practice alsoincludea process for responding to data breaches when discovered, including steps taken to notify users,containthe incident, and prevent recurrence.