Companies preparing sustainability reports under the Corporate Sustainability Reporting Directive (CSRD) typically collect a lot of data. Technology can help with this. The challenge for companies is, on the one hand, to be as complete as possible, and on the other hand - for confidentiality and privacy reasons - not to report too much. Below we address this area of tension (including in relation to the AVG and the AI Act) and provide some practical tips.
New technologies can help achieve a company's ESG goals. For example, technologies can make processes faster and more efficient through Artificial Intelligence (AI). For example, processes that are labor-intensive can be automated. These new technologies generally generate a lot of data (data/personal information). This is an opportunity: 'measuring is knowing'. At the same time, this also involves a lot of (new) laws and regulations. Whereas initially this was mostly the General Data Protection Regulation (AVG), recently the Data Act, the Data Governance Act and very recently the AI Act were also recently adopted. The latter sets rules for the use of AI in the European Union. All this creates a broad landscape of laws and regulations with which a company must comply when collecting data in general - and thus also in the context of the CSRD.
New technologies can also impact the person(s) being reported on. On the one hand because new technology leads to more data and more processing and on the other hand because algorithms, artificial intelligence and other technologies can (unintentionally) lead to biases (conscious or unconscious bias) and discriminatory effects. Often it is not clear to the person being reported on why or what underlies this themselves. Companies that, in the context of CSRD, have as a reporting requirement ESRS standard S1 (own employees) and/or ESRS S2 (employees in the value chain) report, among other things, on the distribution of men and women in the top, how they treat disabled people, but also how personal data of customers and suppliers are safeguarded. The reporting obligation does not automatically mean that this information may be reported or passed on (to third parties) under the heading of CSRD/ESG. It is important to pay attention to this at an early stage - for example, during the implementation phase of the CSRD - so that the (personal) data is also reported in accordance with other privacy laws and regulations. For an overview of the steps to achieve CSRD compliance, see the sustainability journey developed by BDO developed sustainability journey.
When processing information, not everything can and need be reported. For example, the CSRD states that all data must be reported in accordance with applicable privacy laws and regulations. Under the AVG, for example, additional provisions apply to special data (such as health data). Under the aforementioned ESRS S1 standard (own employees), employers will have to report on their employees' discrimination, illness and/or health policies. Complying with the AVG does not mean that everything can be reported directly, or that less or no personal data will suffice. The following applies: always consider carefully whether the personal data may be reported/transmitted. Do not do this 'blindly' with an appeal to the CSRD.
In addition, it is important for the reporting company to be alert to the fact that trade secrets may not be revealed unintentionally. Also consider things that are covered by confidentiality provisions, for example, such as reports under the whistleblower regulation. For companies in the value chain (such as suppliers) to whom information is requested by CSRD obligated companies, there is no obligation to provide all requested information without question. For example, the CSRD contains a provision stating that information relating to certain EU-designated trade secrets need not be provided. The company should weigh each time what is requested under the CSRD and what information is required to do so, so as not to inadvertently expose trade secrets, personal data or other confidential information.
Deploying technologies under reporting requirements also involves new risks, such as issues around compliance with recent/new laws and regulations, such as the AI Act. Update yourself on these new developments;
When reporting under the CSRD, consideration must always be given to whether disclosure of available information is in line with the AVG and/or other confidentiality obligations.
Don't report "blind" and keep in mind the privacy interests of employees, customers and suppliers, among others, and assess what may and may not be provided under the AVG/other privacy laws.
