Wake up daily to our latest coverage of business done better, directly in your inbox.


Get your weekly dose of analysis on rising corporate activism.


The best of solutions journalism in the sustainability space, published monthly.

Select Newsletter

By signing up you agree to our privacy policy. You can opt out anytime.

Can companies like Facebook comply with NEW European legislation?

By Sam Thibault

21st century EU directives focus on publication of Corporate Social Responsibility information and Data Protection.

If Facebook can move 1.5 billion users out of reach of European privacy laws, can other companies as easily avoid the complexities of Sustainability Reporting or disclosing Data Protection procedures?

The EU Directive on Non-financial and Diversity Information (2014/95/EU) and forthcoming General Data Protection Regulation (GDPR) applies to any corporation operating in any of the European Union Member States.   The objective of Directive 2014/95/EU is to raise the transparency of social and environmental information.  The GDPR’s intent is to protect from privacy and data breaches by companies operating in all sectors.

Both are complimentary since customer privacy is a core requirement in GRI Standards and other international guidelines for Sustainability (CSR) Reporting.   

Corporations which meet the minimum requirements in multiple countries, must file a report for each one.  And, each member state can modify the rules to comply with its own national laws. 

With its European team and global expertise, the Centre for Sustainability and Excellence is uniquely positioned to help companies meet Directive 2014/95/EU and GDPR requirements.  CSE’s Certified Sustainability Practitioner Program, Advanced Edition 2018, addresses EU mandates. 

Reporting requirements can differ significantly by country.  Directive 2014/95/EU reports must cover:

  • Environmental impact including GHG emissions scope 1,2 and 3
  • Social and employee matters
  • Respect for human rights
  • Anti-corruption and bribery concerns
  • Data Privacy (GDPR)

They must include: the company’s business model; relevant policies implemented, due diligence and policy outcomes; principal risks, including business relationships, products or services; and non-financial key performance indicators.

Adhering to the EU reporting rules increases stakeholder trust.  Companies learn from the process and focus on the importance of data privacy.  The effort generates continuous improvements in a business’s impact.  The public reporting requirement helps company’s highlight their business integrity.  Another advantage – incorporating the United Nations Sustainable Development Goals (SDGs), the EC’s major policy priority.

The directive for non-financial reporting applies to “large undertakings which are public-interest entities” averaging 500 or more employees within a Member State, while the GDPR applies to any company operating in Europe and managing or using European citizens’ data.  Each country specifies: topics and content, disclosure format, level of auditing and independent assurance, non-compliance penalties, and whether to include diversity reporting.  For companies operating in multiple countries, reporting can be quite complex!

How different can requirements be?  By country, fines range as high as €20 million!  Fines can be applied to an individual company executive or the company as a whole.  Some states impose a prison sentence, with durations ranging from 2 years to 6 years.  There are 30 different variations of reporting. If you oversee compliance, you do not want to get this wrong!

During the upcoming trainings in New York City, June 11-12, in Bucharest, Romania, June 21-22, in Houston, USA, September 27-28, and in London, December 6-7, 2018, attendees will learn how to apply CSR strategy and reporting to facilitate meeting EU and other global legislation. 

Rosalinda Sanquiche, CSE