Indicators 2 and 3: policy

Across all indicators, the highest level of company disclosure was the existence of a publicly stated data protection and/or privacy policy, at 96%. However, only 25% of companies published policies that explicitly covered all operations. Several companies stated that their policies did not apply to third parties, as third parties had issued their own data protection or cyber security policies.

Investor relevance: the management of data by third parties should be a priority, particularly when companies do not have direct control over the storing, transmission and handling of sensitive data.

Investors may therefore seek clarification from companies on the coverage of data protection policies and whether they apply to the website only or a particular operation. Such discussions may also provide insights on whether the company takes a centralised or decentralised approach to implementing cyber security procedures, as well as what data is held, maintained or processed by third parties, and how it is protected.

Good practice: disclosure on this indicator may include a data protection or cyber security policy which is detailed, clear and comprehensive, and covers all company operations.

Novo Nordisk offers a good example: “Although the legal obligations under European law apply only to personal information used and collected in Europe, Novo Nordisk will apply this policy globally, and in all cases where Novo Nordisk processes personal information both manually and by automatic means and whether the personal information relates to Novo Nordisk’s employees, contractors, business contacts or other third parties.”

Very few companies disclosed in such detail against this indicator. Yet, disclosure here may function as a proxy indicator for the rigour by which personal data is being appropriately handled and securely stored by a company.