The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How SGS promotes data security and privacy

Case study: How SGS promotes data security and privacy

With over 97,000 employees and a global network of more than 2,600 offices and laboratories, SGS is the world’s leading inspection, verification, testing and certification company, recognised as the global benchmark for quality and integrity. As a company that holds itself to the highest standards of professional behaviour, protecting personal data and compliance with associated privacy laws, are essential commitments for SGS  Tweet This!.

This case study is based on the 2018 Corporate Sustainability Report by SGS published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

On an ongoing basis, SGS works on managing, preventing, detecting and responding to security issues or risks identified, also taking a lead in shaping the future of the digital world as a Charter of Trust co-signatory, with the aim of strengthening cybersecurity to protect people, companies and infrastructure. In order to promote data security and privacy SGS took action to:

  • promote cybersecurity
  • comply with the GDPR
  • provide training

What are the material issues the company has identified?

In its 2018 Corporate Sustainability Report SGS identified a range of material issues, such as professional and operational integrity, talent acquisition and retention, market presence, diversity and equal opportunities, respect for human rights. Among these, promoting data security and privacy stands out as a key material issue for SGS.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups SGS engages with: 

Stakeholder Group                Method of engagement
Employees and suppliers



·      Global employee engagement programme, CATALYST

·      SGS Sharepoint intranet portal

·      SGS Inside newsletter

·      Training programmes, videos and e-learning modules

·      SHINE Onboarding

·      Annual integrity training

·      Annual Safety Month

·      Spot the Orange Dot environmental behaviour campaign

·      Sustainability learning

·      Employee Representation Councils (e.g. European Works Council – Euroforum)

·      Supplier Self-Assessment

·      Supplier Code of Conduct

·      Supplier Audits

·      Supplier Innovation Programme




·      One-to-one meetings

·      SGS-hosted conferences, seminars and webinars

·      Customer surveys, e.g. Voice of the Customer

·      White papers

·      Customer portal

Governments and industries



·      SGS-hosted conferences, seminars and webinars

·      Membership meetings and events

·      White papers

·      Governments and Institutions business line





·      Annual General Meeting

·      SGS Investor Days

·      Meetings with investors and analysts

·      Responses to analyst questionnaires

Communities and the planet




·      Annual community survey to measure the impact of community investment

·      White papers

·      One-to-one meetings with NGOs and responses to questionnaires

Consumers ·      Certification and product labelling

·      Direct marketing and communication with certain B2C products

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics SGS carried out a survey among approximately 850 stakeholders in 52 countries, who included customers, senior managers, employees, suppliers, non-governmental organisations, ratings agencies, sustainability professionals and academics.

What actions were taken by SGS to promote data security and privacy?

In its 2018 Corporate Sustainability Report SGS reports that it took the following actions for promoting data security and privacy:

  • Promoting cybersecurity
  • SGS has a framework and team in place to protect intellectual property, business services and customer data by governing and managing cybersecurity. It is the team’s responsibility to manage SGS IT Security and Anomaly Detection Systems, deploying new tools where needed while identifying vulnerabilities, threats and potential incidents. SGS utilises several detection systems that monitor its network, system infrastructure and applications. The most critical of these detection systems are monitored on a continuous basis, while the rest keep audit information for analysis in case of enquiries or suspicion of fraudulent activity. Response times to potential incidents are monitored according to specific timeframe requirements, depending on the severity of the threat and its criticality. Any major security issues are investigated by the IT Security Department and, once the root cause has been identified, the impact of any proposed mitigation is evaluated and communicated. To promote high levels of cybersecurity, technical standards ensuring a sound security baseline have been developed and SGS also runs a continuous security awareness programme. As part of this programme, SGS carries out IT security training several times a year, for all employees. Cybersecurity is also an area that is taken seriously when integrating the IT systems of acquisitions and partners into those of the SGS Group.
  • Complying with the GDPR
  • In 2018, SGS put in place measures and mechanisms to make sure it complies with the General Data Protection Regulation (GDPR). These are detailed in the SGS GDPR Compliance Statement, which describes the steps SGS is taking to update and expand data security and protection across the Group. It also outlines the dedicated internal team in place to develop and implement the GDPR roadmap – assessing gaps and implementing enhanced and new policies and procedures. At the same time, SGS launched the GDPRONLINE service, to support customers in complying with the EU regulation.
  • Providing training
  • In 2018, SGS rolled out global awareness training on data protection and privacy principles as an e-learning module. This training is relevant to all employees, whether they collect and process personal data or not. Accordingly, the aim is to reach all SGS employees and, currently, SGS’s awareness training has been rolled out to more than 93,000 employees, with a completion rate of 95%.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data


Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

  • Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
  • Business theme: Compliance with laws and regulations, Protection of privacy


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified and IEMA approved Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI-Standards Certified and IEMA approved Course you will be taking the first step in gaining the many benefits of sustainability reporting.



1) This case study is based on published information by SGS, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to SGS: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.