G4(a). Impact assessment: Governments and regulations

The company should conduct regular, comprehensive, and credible due diligence, through robust human rights impact assessments, to identify how government regulations and policies affect freedom of expression and information and privacy, and to mitigate any risks posed by those impacts in the jurisdictions in which it operates.

Elements: 

1. Does the company assess how laws affect freedom of expression and information in jurisdictions where it operates?
2. Does the company assess how laws affect privacy in jurisdictions where it operates?
3. Does the company assess freedom of expression and information risks associated with existing products and services in jurisdictions where it operates?
4. Does the company assess privacy risks associated with existing products and services in jurisdictions where it operates?
5. Does the company assess freedom of expression and information risks associated with a new activity, including the launch and/or acquisition of new products, services, or companies, or entry into new markets or jurisdictions?
6. Does the company assess privacy risks associated with a new activity, including the launch and/or acquisition of new products, services, or companies, or entry into new markets or jurisdictions?
7. Does the company conduct additional evaluation whenever the company’s risk assessments identify concerns?
8. Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
9. Does the company conduct assessments on a regular schedule?
10. Are the company’s assessments assured by an external third party?
11. Is the external third party that assures the assessment accredited to a relevant and reputable human rights standard by a credible organization?

Board of directors — Board-level oversight should involve members of the board having direct oversight of issues related to freedom of expression and privacy. This does not have to be a formal committee, but the responsibility of board members in overseeing company practices on these issues should be clearly articulated and disclosed on the company’s website.

Human Rights Impact Assessments (HRIA)/assess/assessments — HRIAs are a systematic approach to due diligence. A company carries out these assessments or reviews to see how its products, services, and business practices affect the freedom of expression and privacy of its users.

For more information about Human Rights Impact Assessments and best practices in conducting them, see this special page hosted by the Business & Human Rights Resource Centre: https://business-humanrights.org/en/un-guiding-principles/implementation-tools-examples/implementation-by-companies/type-of-step-taken/human-rights-impact-assessments

The Danish Institute for Human Rights has developed a related Human Rights Compliance Assessment tool (https://hrca2.humanrightsbusiness.org), and BSR has developed a useful guide to conducting a HRIA: http://www.bsr.org/en/our-insights/bsr-insight-article/how-to-conduct-an-effective-human-rights-impact-assessment

For guidance specific to the ICT sector, see the excerpted book chapter (“Business, Human Rights and the Internet: A Framework for Implementation”) by Michael Samway on the project website at: http://rankingdigitalrights.org/resources/readings/samway_hria.

Senior executives — CEO and/or other members of the executive team as listed by the company on its website or other official documents such as an annual report. In the absence of a company-defined list of its executive team, other chief-level positions and those at the highest level of management (e.g., executive/senior vice president, depending on the company) are considered senior executives.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

Indicator guidance: This indicator examines whether companies conduct regular, robust, and accountable human rights risk assessments of government regulations and policies in the jurisdictions in which they operate. These assessments should be part of the company’s formal, systematic due diligence activities that are aimed at ensuring that a company’s decisions and practices do not cause, contribute to, or exacerbate human rights harms. Assessments enable companies to identify possible risks to users’ freedom of expression and privacy rights and to take steps to mitigate possible harms if they are identified.

This indicator only pertains to government laws and regulations as well as the risks caused by companies’ products and services in the jurisdictions where the companies operate, while the other indicators in the G4 family cover other areas in which companies should be conducting risk assessments. Note that this indicator does not expect companies to publish detailed results of their human rights impact assessments, since assessments may include sensitive information. Rather, it expects that companies should disclose that they conduct HRIAs and provide information on what their HRIA process encompasses.

• Company CSR/sustainability reports
• Company human rights policy
• Reports from third-party assessors or accreditors
• Global Network Initiative assessment reports