By Christoph Werkmeister, Marlen Vesper-Gräske and Jessica Stein
Public awareness for responsible corporate governance in the digital age is gaining increasing attention. While many companies are already committed to environmental and social issues (Corporate Social Responsibility, CSR), the assumption of responsibility in the digital world, known as Corporate Digital Responsibility (CDR) is still in its early stages.
The term CDR refers to voluntary entrepreneurial efforts in the context of progressing digitization that go beyond the legal requirements. Essentially corporations seek to actively participate in shaping the digital world and take on responsibility in order to add social value. The United Nations Guidelines for Consumer Protection (UNGCP, revised in 2015) can be named as one of the legal foundations of CDR. The Guidelines stipulate that “businesses should protect consumers’ privacy through a combination of appropriate control, security, transparency and consent mechanisms relating to the collection and use of their personal data”. Yet, CDR includes more than just data and the protection of privacy, it also has special relevance, for example, in the area of the Internet of things (IoT).
In recent times, CDR has become increasingly important as a consequence of the soaring number of cyber crimes. Therefore, it plays a vital role for the protection of corporate business itself. A recent survey shows that while, in terms of total numbers, computer fraud and computer sabotage still ranks first when it comes to cyber crimes, data theft is catching up rapidly, victimizing individuals and corporations alike.
Against this backdrop, the German Ministry of Justice and Consumer Protection started an initiative on Corporate Digital Responsibility in May 2018, in which policy-makers and business representatives work together in order to establish CDR principles and identify new concepts. The CDR co-initiative published its first statement in October 2018 (which can be found here). The publication defines the goals and working principles of the initiative and introduces the relevant stakeholders, including some of Germany’s biggest companies that are not only limited to the technology sector. More recently, in April 2019, the Ministry published new results and portrayed the consequences of the digital transformation using practical case studies (which can be found here in German language). The publication sets out eight principles which should serve as a guideline in the process of establishing CDR standards.
These principles concern the promotion of consumer self-determination, the classification of digital transformation as a means of increasing participation in society and the promotion of sustainability, including the question of whether certain technologies carry unreasonable data or cyber risks (opportunity/risk assessment). The principles also address that companies shall bear responsibility to prevent technical dependencies and lock-in effects for consumers.
The CDR co-initiative further calls on the companies to promote the public discourse, raise awareness, ensure data protection and privacy ("privacy by default" / "privacy by design"), and offer interoperable technologies. Ultimately, companies are supposed to ensure a high level of IT security (already in the development phase of new technologies) and provide for necessary security updates.
With the aforementioned principles in mind, the CDR co-initiative seeks to engage companies in all industries and encourages the development of best practice standards in this area. A possible approach would be to build on existing CSR principles and to transform these into the digital world. This means that existing concepts and corporate strategies could be leveraged and applied to the new digital challenges. For example, companies could extend corporate risk analyses with regard to digital risks for the company itself but also the possible impact on society as a whole. In addition, transparent and comprehensible reporting on such digital risk analyses might become relevant in the future.