Case study: How SGS promotes data security and privacy
With over 97,000 employees and a global network of more than 2,600 offices and laboratories, SGS is the world’s leading inspection, verification, testing and certification company, recognised as the global benchmark for quality and integrity. As a company that holds itself to the highest standards of professional behaviour, protecting personal data and compliance with associated privacy laws, are essential commitments for SGS Tweet This!.
This case study is based on the 2018 Corporate Sustainability Report by SGS published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.
Abstract
On an ongoing basis, SGS works on managing, preventing, detecting and responding to security issues or risks identified, also taking a lead in shaping the future of the digital world as a Charter of Trust co-signatory, with the aim of strengthening cybersecurity to protect people, companies and infrastructure. In order to promote data security and privacy SGS took action to:
- promote cybersecurity
- comply with the GDPR
- provide training
Subscribe for free and read the rest of this case study
Please subscribe to the SustainCase Newsletter to keep up to date with the latest sustainability news and gain access to over 2000 case studies. These case studies demonstrate how companies are dealing responsibly with their most important impacts, building trust with their stakeholders (Identify > Measure > Manage > Change).
With this case study you will see:
- Which are the most important impacts (material issues) SGS has identified;
- How SGS proceeded with stakeholder engagement, and
- What actions were taken by SGS to promote data security and privacy
Already Subscribed? Type your email below and click submit
What are the material issues the company has identified?
In its 2018 Corporate Sustainability Report SGS identified a range of material issues, such as professional and operational integrity, talent acquisition and retention, market presence, diversity and equal opportunities, respect for human rights. Among these, promoting data security and privacy stands out as a key material issue for SGS.
Stakeholder engagement in accordance with the GRI Standards
The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:
Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.
Key stakeholder groups SGS engages with:
Stakeholder Group | Method of engagement |
Employees and suppliers
| · Global employee engagement programme, CATALYST · SGS Sharepoint intranet portal · SGS Inside newsletter · Training programmes, videos and e-learning modules · SHINE Onboarding · Annual integrity training · Annual Safety Month · Spot the Orange Dot environmental behaviour campaign · Sustainability learning · Employee Representation Councils (e.g. European Works Council – Euroforum) · Supplier Self-Assessment · Supplier Code of Conduct · Supplier Audits · Supplier Innovation Programme |
Customers
| · One-to-one meetings · SGS-hosted conferences, seminars and webinars · Customer surveys, e.g. Voice of the Customer · White papers · Customer portal |
Governments and industries
| · SGS-hosted conferences, seminars and webinars · Membership meetings and events · White papers · Governments and Institutions business line |
Investors
| · Annual General Meeting · SGS Investor Days · Meetings with investors and analysts · Responses to analyst questionnaires |
Communities and the planet
| · Annual community survey to measure the impact of community investment · White papers · One-to-one meetings with NGOs and responses to questionnaires |
Consumers | · Certification and product labelling · Direct marketing and communication with certain B2C products |
How stakeholder engagement was made to identify material issues
To identify and prioritise material topics SGS carried out a survey among approximately 850 stakeholders in 52 countries, who included customers, senior managers, employees, suppliers, non-governmental organisations, ratings agencies, sustainability professionals and academics.
What actions were taken by SGS to promote data security and privacy?
In its 2018 Corporate Sustainability Report SGS reports that it took the following actions for promoting data security and privacy:
- Promoting cybersecurity
- SGS has a framework and team in place to protect intellectual property, business services and customer data by governing and managing cybersecurity. It is the team’s responsibility to manage SGS IT Security and Anomaly Detection Systems, deploying new tools where needed while identifying vulnerabilities, threats and potential incidents. SGS utilises several detection systems that monitor its network, system infrastructure and applications. The most critical of these detection systems are monitored on a continuous basis, while the rest keep audit information for analysis in case of enquiries or suspicion of fraudulent activity. Response times to potential incidents are monitored according to specific timeframe requirements, depending on the severity of the threat and its criticality. Any major security issues are investigated by the IT Security Department and, once the root cause has been identified, the impact of any proposed mitigation is evaluated and communicated. To promote high levels of cybersecurity, technical standards ensuring a sound security baseline have been developed and SGS also runs a continuous security awareness programme. As part of this programme, SGS carries out IT security training several times a year, for all employees. Cybersecurity is also an area that is taken seriously when integrating the IT systems of acquisitions and partners into those of the SGS Group.
- Complying with the GDPR
- In 2018, SGS put in place measures and mechanisms to make sure it complies with the General Data Protection Regulation (GDPR). These are detailed in the SGS GDPR Compliance Statement, which describes the steps SGS is taking to update and expand data security and protection across the Group. It also outlines the dedicated internal team in place to develop and implement the GDPR roadmap – assessing gaps and implementing enhanced and new policies and procedures. At the same time, SGS launched the GDPRONLINE service, to support customers in complying with the EU regulation.
- Providing training
- In 2018, SGS rolled out global awareness training on data protection and privacy principles as an e-learning module. This training is relevant to all employees, whether they collect and process personal data or not. Accordingly, the aim is to reach all SGS employees and, currently, SGS’s awareness training has been rolled out to more than 93,000 employees, with a completion rate of 95%.
Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?
The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:
- Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
- Business theme: Compliance with laws and regulations, Protection of privacy
78% of the world’s 250 largest companies report in accordance with the GRI Standards
SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.
Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.
7 GRI sustainability disclosures get you started
Any size business can start taking sustainability action
GRI, IEMA, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom (venue: London School of Economics)
- Exclusive FBRH template to begin reporting from day one
- Identify your most important impacts on the Environment, Economy and People
- Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP.
- Benchmarking methodology to set you on a path of continuous improvement
References:
1) This case study is based on published information by SGS, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:
http://database.globalreporting.org/
2) https://www.globalreporting.org/standards/gri-standards-download-center/
Note to SGS: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.