Skip to content
Legal Data & Metrics

The upward inflection of data privacy policies

Nadja Herger  Data Scientist / Thomson Reuters Labs

· 5 minute read

Nadja Herger  Data Scientist / Thomson Reuters Labs

· 5 minute read

How are different business sectors worldwide adapting to the changing landscape of data privacy policies? Which sectors are paving the way to a safer and more secure digital environment, and which ones are straggling behind?

To answer these questions, we made use of Thomson Reuters (now Refinitiv’s) environmental, social and governance (ESG) research data. The ESG data contains information on nearly 7,000 global companies, reaching back to 2002. This analysis was conducted by Thomson Reuters Labs in collaboration with the World Economic Forum to create visualizations for an insight report on building an inclusive, trustworthy and sustainable digital society.

The ESG data, which builds the basis of our analysis, was manually collected from publicly available information sources to ensure that the data is standardized, comparable and reliable. Moreover, the gathered data is quality controlled and verified in a rigorous process by experienced analysts and robust automated checks within Thomson Reuters.

The graphic is based on the ESG’s data privacy policy metric, which highlights if and when a company has introduced a policy to protect customer and general public privacy and integrity. We have grouped around 6,000 public companies into their respective business sectors based on the Thomson Reuters Business Classification (TRBC). TRBC is the most comprehensive, detailed and up-to-date sector and industry classification available. (Click on the graphic below to view the full sized version).

Thomson Reuters Labs graphic - Data Privacy Policies across industries

Between 2002 and 2017, we show what percentage of companies within each business sector has a privacy policy in place, which would give people more control over their personal data. The graphic clearly shows that companies worldwide across most business sectors have gradually adopted data privacy policies, with most of the growth happening in the past few years.

This positive trend is hard to explain without taking the EU general data protection regulation (GDPR) into consideration. GDPR is considered one of the most important changes in data privacy regulation in 20 years, affecting all companies operating in the EU, wherever they are based. It was adopted in April 2016 and became enforceable in May 2018. Even though we have not established a formal causal relationship, the data strongly suggests that GDPR was an important factor in most of the companies adopting such policies in recent years.

From the business sectors represented in this set, insurance and services in the areas of telecommunication, banking and investment, and healthcare have the largest proportion of companies with a data privacy policy in place. Within those sectors at the forefront, we see adoption rates of up to 94%. Lagging business sectors include investment holding companies, food & beverages, and minerals and energy (many of those with a relatively small number of representing companies).

It is not surprising to see insurance companies, banks and the healthcare sector among the high performers, given that they have many individual clients and are exposed to huge risks in terms of keeping sensitive information secure. Finding investment holding companies among the stragglers is thought-provoking given the increasing demand for transparency in financial markets and the risk associated with a lack in transparency in terms of money laundering.

This generally positive story of more and more companies introducing data privacy policies, with some business sectors even reaching beyond 90% adoption rates, should not be told without acknowledging the issues around data provenance. No ESG data has been gathered (or in some cases reported) for private companies, which largely outnumber public ones. This large proportion of the “known unknown” makes is hard to draw a generic conclusion (see graphic below). The adoption rate would drop down to less than 20% across all business sectors if we make the assumption that the (public and private) companies without reported ESG data do not have data privacy policies in place. This would of course be alarmingly low and paint a completely different picture in terms of customer’s control over their personal data.

An important note on the methodology of this analysis: Only 6k of 60k companies have data on this topic. Each box below represents 100 companies. Orange boxes are companies we have any data on (whether they have data privacy policies or not) and grey boxes are companies we have no information about data privacy policies on.

Digital transformation is affecting all aspects of our increasingly connected society, and companies are slowly getting ready for our shared digital future. Given that topics such as data privacy and security are now discussed by politicians, business leaders and regulators on a daily basis, we are hopeful that adoption rates across all sectors will increase further and at a faster rate.


Learn more

Access the full report, Our Shared Digital Futureswhich addresses the need for shared goals and coordinated action to shape an inclusive, sustainable, digital future.

View the other articles in this series:

More insights