G4. Impact assessment

The company should conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of its business affect freedom of expression and privacy and to mitigate any risks posed by those impacts.

Elements
  1. As part of its decision-making, does the company consider how laws affect freedom of expression and privacy in jurisdictions where it operates?
  2. Does the company regularly assess freedom of expression and privacy risks associated with existing products and services?
  3. Does the company assess freedom of expression and privacy risks associated with a new activity, including the launch and/or acquisition of new products, services, or companies or entry into new markets?
  4. Does the company assess freedom of expression and privacy risks associated with the processes and mechanisms used to enforce its terms of service?
  5. Does the company conduct additional evaluation wherever the company’s risk assessments identify concerns?
  6. Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
  7. Does the company conduct assessments on a regular schedule?
  8. Are the company’s assessments assured by an external third party?
  9. Is the external third party that assures the assessment accredited to a relevant and reputable human rights standard by a credible organization?
Research guidance
People face human rights risks when they use digital tools. Human rights impact assessments (HRIAs) are a way for companies to learn about and to address, or at the very least try to mitigate, those risks, especially when introducing products and services to new markets. This indicator examines whether companies disclose the existence of any human rights risk assessment processes, as well as whether and how companies incorporate assessments of freedom of expression and privacy considerations into their decision making. These assessments represent a systematic internal examination to ensure that a company’s decisions and practices align with its commitment (and responsibility) to respect freedom of expression and privacy.

While this indicator uses the language of human rights impact assessments, companies may use different names for this review process. What companies call their process is less important than what the process encompasses and accomplishes. This indicator will include a review of Privacy Impact Assessments (PIAs) and other assessment processes that contain characteristics or components listed in this indicator but are not necessarily called “human rights impact assessments.”

Note that this indicator does not expect companies to publish detailed results of their human rights impact assessments, since a thorough assessment includes sensitive information. Rather, it expects that companies should disclose that they conduct HRIAs and provide information on what their HRIA process encompasses. If a company conducts HRIAs but does not publicly disclose the fact that it does so, the company will not receive credit.

Potential sources:

  • Company CSR/sustainability reports
  • Company human rights policy
  • Regulatory documents (e.g., U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative assessment reports