Companies routinely collect personal information on their clients and users. This data is used for various purposes, such as analytical insights, client contact and targeting paid advertisements. As custodians of personal data, companies play a critical role in ensuring the data is kept safe and not used for nefarious purposes.
Protection of personal data is a fundamental right linking to SDG target 16.10: ‘Protect fundamental freedoms.’ SDG target 16.10 calls for ‘public access to information’. In this regard, it is important for stakeholders to know about data breach incidents to better understand risk and how companies are dealing with it. Both the GRI and SASB global reporting frameworks recommend that companies should disclose the number of data breaches they experience.


Research Guidance:

The companydisclosesa group-wide privacy policy that sets out principles for how it collects, uses, processes, and protects personal data, and explicitlystatesthat these principles apply to all subsidiaries and all geographic locations where the companyoperates. The company must show evidence of a formal privacy policy or equivalent document (e.g. privacy strategy, data governance framework) that outlines how it manages personal information. The statement should apply at minimum to employees and customers and should cover all company‚s activities comprehensively and none should be excluded.
For mobile operators, a privacy policy limited to their single country of operation is acceptable, provided it is clearly group-wide within that national context. Local legal provisions (e.g. GDPR in the EU or CCPA in California) may be acknowledged as enhancements to the global policy. These are acceptable only if they elevate protections, not if they reduce or fragment them.
To meet this element, the company's statement mustbe found in a publicly available policy document or policy webpageandprovide evidence that user consent isrequiredto process user data.