C4. Impact assessment

Does the company conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of their business impact freedom of expression and privacy?

1. The company examines laws affecting privacy and freedom of expression in jurisdictions where it operates and uses this analysis to inform company policies and practices.

2. The company regularly assesses free expression and privacy risks associated with existing products and services.

3. The company assesses free expression and privacy risks associated with a new activity, including the launch and/or acquisition of new products or services or entry into new markets.

4. The company assesses free expression and privacy risks associated with the processes and mechanisms used to enforce its Terms of Service.

5. The company conducts in-depth due diligence wherever the company’s risk assessments identify concerns.

6. Senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in strategic decision-making for the company.

7. The company conducts assessments on a regular schedule.

8. The company’s assessment is assured by an external third party.

9. The external third party that assures the assessment is accredited to a relevant and reputable human rights standard by a credible organization.

Guidance: This indicator examines whether companies disclose the existence of any human rights impact assessment (HRIA) process including freedom of expression and privacy (See definition and references in Appendix 1.)

Note that this indicator does not expect companies to publish detailed results of their human rights impact assessments, since a thorough assessment includes sensitive information. Rather, it expects that companies should disclose that they conduct HRIAs and provide information on what their HRIA process encompasses.

While this indicator uses the language of human rights impact assessments, companies may use different names for this review process. What companies call their process is less important than what the process encompasses and accomplishes. This indicator will include a review of Privacy Impact Assessments (PIAs) and other assessment processes that contain characteristics or components listed in this indicator but are not necessarily called “human rights impact assessments.”

Evaluation: This indicator is scored using a checklist, meaning companies can only receive full credit if they demonstrate that their assessment process addresses all elements in the checklist. If a company conducts HRIAs, but there is no public disclosure of the fact that it does so, the company will not receive credit.

Potential sources:

  • Company CSR/sustainability reports
  • Company human rights policy
  • Regulatory documents (e.g., U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative assessment reports

For more information, click here for a glossary of terms.

Overall Company Performance

Company Performance