Why is Data Protection Relevant for ESG?

In the current world driven by technology, personal data has become a coveted, valuable asset. The World Economic Forum argued that personal data “is generating a new wave of opportunity for economic and societal value creation”[1]. Companies rely on collecting and processing data of the people they interact with in order to provide a better product or a more efficient service. By collecting data, companies gain insight on the habits of consumers, which helps them monetize their business models and increase profits.

While generating high profits is still in the focus of businesses, there is an increasing trend of corporate and social responsibility. Consumers and investors alike seem to gravitate towards companies who have a high ESG (Environmental, Social and Governance) score. A successful ESG score affects the social and community image of a company, and further influences their financial performance.

The manner in which companies protect the personal data of their consumers has become an important element when considering the ESG score. The notorious Facebook-Cambridge Analytica scandal changed the landscape of how we perceive data privacy forever. For the first time in recent history, the world became aware of the fact that companies who have access to your data can easily dispose with it, going as far as to sell the personal data of its customers. Furthermore, a recent survey has found that cybersecurity is a number two concern of investors when choosing where to invest[1].

North Macedonia is slowly but surely jumping on the bandwagon of implementing ESG. At the beginning of 2022, the Stock Exchange of North Macedonia, with the help of EBRD, published the first ESG reporting guidelines for listed companies.[2] It is expected that in the following period, more companies from the private sector will recognize the importance of ESG and sustainability reporting.

Article by: Ana Kashirska, AmCham ESG Committee Member and Senior Associate at Veton Qoku Attorney at Law, in cooperation with Karanovic & Partners


In a world where climate change is a hot (no pun intended) topic, it is especially important for companies to be mindful of the use of natural resources and reducing their carbon footprint. During their course of work, companies accumulate a vast amount of data over the years, which is stored in both paper and digital versions. While in recent years the transition from paper to digital storage has increased, this does not necessarily mean reduction of the carbon footprint. On the contrary, the more data that is collected, more storage space is needed. The use of server space, hard drives and other electronic devices designed to store data impacts the environment more than we can imagine. These electronics use a lot of energy, a large part of which is generated by using fossil fuels, especially in developing countries such as North Macedonia. Furthermore, the disposal of these electronic devices creates electronic waste – or e-waste, which more often than not is disposed of improperly, thus becoming harmful to the environment.

So far in 2022, over 9 million tones of e-waste have been disposed of globally[3]. For illustration, such waste weighs more than four Burj Khalifas – the tallest building in the world. And if this trend continues in the following years, it is expected that until 2050, the world will reach the threshold of 120 million tones of e-waste.[4]

This is where data minimization comes into play. As one of the principles to data protection, it requires for personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which personal data are processed. The data minimization principle was implemented with the General Data Protection Regulation (“GDPR”) within the EU; however, many countries aligning their legislation with the GDPR included this within their data protection laws. One such example is the Law on Personal Data Protection of North Macedonia (“DP Law”), which also poses data minimization as one of the postulates for data protection.

Considering the above, companies should strive to keep as less data as possible – minding that the data retained is necessary for fulfilling the purposes for which the same is processed. This would lead to boosting the ESG score of companies, as well as protecting the environment.


The social aspect of ESG poses the question how companies treat the people they interact with. This encompasses a wide range of individuals, from employees, customers, suppliers and the community of which the company is a part. And privacy plays a key role in the social measurement.

Privacy, or the right to a private life, is considered a fundamental human right. Many countries around the world (including North Macedonia) have protected this right with the highest legal act – the Constitution. In the context of data protection, any information relating to an identified or identifiable natural person is considered as personal data and as such is protected with relevant legislation. In North Macedonia, personal data is protected primarily with the DP Law.

A recent study [5] monitoring the iOS update 14.5, which requires app developers to request permission to track their users beyond the app in use, has shown that only 15% of active app users worldwide allow app tracking. This means that, when presented with a choice, data subjects will choose to keep their data private. Companies should take this into consideration as they collect numerous personal data daily and have a social responsibility to protect the information and privacy of data subjects. This involves implementing procedures and adopting acts, as well as undertaking technical and organizational measures which undoubtedly guarantee that the company handles the personal data collected with utmost care.

Additionally, companies should be transparent when collecting and processing personal data. This means giving their data subjects complete information on what types of personal data are processed, the purposes for such processing, as well as granting them rights, among others, to access, erase or rectify their personal data. Data minimization should also be taken into consideration – companies should collect only the personal data which is absolutely necessary for achieving their purposes.

A certain level of trust is established between customers and companies when the former share their data with the latter. Targeting customers with ads, or any sort of direct marketing should be done only by obtaining prior consent. Companies should be extremely careful with handling personal data of minors and ensure that their privacy is well protected.

Giving data subjects greater control over their data strengthens the trust and showcases that the company cares more about its people.


The governance factor deals with how a company remains compliant with the standards and laws, which among other, regulate the collection and processing of personal data. Adopting relevant policies and putting security protocols in place lowers the risk of potential data breaches or any harm to the confidentiality and integrity of personal data collected and processed by the company. A 2019 report found that among notable consequence of data breaches is the decrease of stock prices in publicly traded companies. [6] An average drop of 7.5% of stock value has been reported in companies who have suffered data breaches, causing billion-dollar losses per company. This has led to irreparable damages to both companies and their stockholders.

And if this does not sound scary enough, another great incentive to remain compliant with regulatory requirements are the high fines imposed by data protection legislation. For example, the DP Law imposes severe penalties, including fines of up to 2% and up to 4% of the total annual income of the company from the previous financial year per misdemeanor.

Having in mind the above, companies should incorporate practices which safeguard the way in which personal data is handled and ensure regular monitoring and audit of data management practices. Also, it is almost always advisable to appoint a data protection officer (“DPO”). The DPO will serve not only as a contact point between the company and data subjects, but also as implementer of policies and standards to ensure compliance with data protection regulations. The adoption of a plan for prevention, reaction, and recovery in case of incidents could also show as a useful tool to provide quick reaction in case a data breach occurs.

What’s next?

Considering the rapid growth of the importance of ESG scores and the role they play in attracting investments, companies should implement detailed privacy and security policies. This will not only help to boost the ESG score, but also foster confidence among investors and customers, making the companies more attractive on the market.

Scroll to Top