Modern slavery, EU corporate due diligence and ESG

What’s changing in the world of mandatory corporate compliance?

The EU’s proposed new corporate due diligence and corporate accountability directive will cover companies that sell to the EU, not just those based there. Businesses will be required to identify, address and remedy their impact on human rights and the environment. Crucially, this is likely to go up and down the value chain, which means customers as well as suppliers. Businesses could be sued inside the EU for human rights violations or environmental damage committed by their customers or end-users of their products in third countries. 

Not just the EU, but also the US

This is not only an EU idea. The US Securities and Exchange Commission (SEC)’s investment committee is moving forward to create a framework for ESG disclosure. The International Financial Reporting Standards (IFRS) Trustees announced in February that they are moving forward with the idea of forming a new board that would establish global ESG reporting standards. The reason ESG is having such a big impact on the investment world is that it helps investors understand the resilience of firms to ESG risks. Those could be as widespread as climate change or environmental disasters, accusations of racism or harassment, as well as the impact of governance failures such as fines for bribery. 

Even in the UK…

While the UK is not required to implement new EU legislation, the global push for corporate due diligence is gaining speed. Even in the UK, the government recently launched a consultation on mandatory climate disclosures for large companies in line with recommendations from the Task Force on Climate Related Financial Disclosures. This is in addition to new requirements in the Environment Bill currently going through parliament which aims to clamp down on deforestation in supply chains. 

A vastly enhanced Modern Slavery Act

The aims of the EU’s directive can be summed up as a vastly enhanced Modern Slavery Act. The directive aims to prevent and protect against business impacts on human rights, the environment and governance in supply chains, and hold businesses accountable for such impacts. The idea is that anyone who has suffered harm, anywhere in the world—and anywhere in the supply chain—can take legal action against those companies. As broad in reach as GDPR, any companies selling to the EU would likely be covered.

Responsibility that spans the value chain

Importantly, the directive seeks to cover the entire “value chain”. Broader than a one-way supply chain, tracing its way back to the raw material, the supply chain looks forward to the customers and end-users. Businesses would be required to identify any places in the value chain that could contribute to ESG risks, and perform ongoing monitoring to reduce those risks.

Even businesses that confirm they do not cause or contribute to risks will have to publish a statement to this effect, alongside their risk assessment. Risks that have been identified will need an action plan and due diligence strategy to mitigate them.

Sanctions could range from financial penalties, compensation, public apologies, restitution, and demands to change certain actions. Neither would the imposition or agreement of penalties absolve a company from civil proceedings by those who have suffered.

Whether or not the UK follows such a directive with its own legislation is somewhat besides the point. The global appetite for ESG due diligence and concrete action is rising. Most multinationals are already grappling with this new reality. The new EU rules are but another step on the road to ESG compliance.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.