Customer privacy

Vast amounts of data are generated when our customers use services and our networks. Customer privacy will become increasingly important to manage as customer expectations increase and legislation is strengthened.
Strategic objective

2018 Goals

2015 Outcome

  • Respect and protect the privacy of our customers.
  • We are regarded as a trusted actor in handling personal data on the customer’s terms.

  • “Privacy by design” is implemented in all relevant project management processes.
  • All employees are aware of the privacy requirements related to their work duties.
  • Clear and easy to understand information about processing personal data readily available to customers.
  • Customer privacy impact assessment method implementation initiated.
  • Policy gap analysis and mitigation plan updated in 13 countries.
  • 75 percent of employees trained through “Privacy World” e-learning.

Context

Growing focus on customer privacy

It is highly challenging to establish and uphold “bullet-proof” privacy protection in increasingly sophisticated data environments and in ever-changing technical and threat landscapes. Vast amounts of data are generated when our customers use services and our networks. New ways of connecting and data-heavy business models make it difficult for individuals to retain control over how their data is collected and used. According to the Eurobarometer 2015 – Data Protection, trust in the ability of online service providers and telecom companies to protect privacy is low.

In light of events in recent years, there is a growing focus on privacy from the societal, operator and customer perspectives. We foresee that customer privacy will become increasingly important to manage as customer expectations increase and legislation is strengthened in the EU and other markets.

 

»It is challenging to establish and uphold “bullet-proof” privacy protection in increasingly sophisticated data environments and in ever-changing technical and threat landscapes.«

Governance

We need to continuously assess risks, build awareness among employees and suppliers, include privacy controls in relevant processes as well as integrate privacy safeguards into our IT infrastructure.

Our work is guided by the group customer privacy policy, which defines principles regarding, for example, collecting, processing and retaining personal data as well as customers’ rights. Measures to safeguard the confidentiality and integrity of customers’ personal data are defined in the group security policy.

The customer privacy organization consists of the group privacy owner and group privacy officer, as well as privacy officers in local companies and group functions. It is responsible for developing and implementing customer privacy governance and supporting line organizations in their work to implement our policies and comply with local requirements. During the year, the group customer privacy organization was strengthened significantly to better support local policy implementation and integration of customer privacy into the IT architecture.

Activities during the year

During 2015, the main focus was on further strengthening governance and increasing awareness as well as on implementation and risk mitigation activities.

Privacy by design

We consider “privacy by design” – taking privacy requirements into account at the earliest possible stage – as one of the key privacy principles supporting our efforts to ensure that customer privacy is respected. For this reason, an impact assessment method for assessing risks, compliance and impacts on customer privacy was developed, and its implementation into the project management process was initiated.

Gap and risk assessments

All except one local company completed customer privacy gap and risk assessments and updated their mitigation roadmaps. The assessment results and measures to address risks varied, reflecting differences in maturity. In general, the results indicated that despite our efforts so far, we must increase our focus on the “privacy by design” approach, deletion or anonymization of data, development of risk management processes, increasing awareness and ensuring control over our supply chain. Implementation projects and initiatives to execute risk mitigation roadmaps and close identified compliance gaps are ongoing.

Reviews and audits

A privacy and security compliance monitoring process was developed and the first measurement results focusing on information, IT and network security were analyzed during the third quarter. In addition, on-site customer privacy reviews were performed by group internal audit in three countries. Subsequently, action plans were agreed upon regarding key areas such as training.

Customer privacy training

Significant effort was put into increasing awareness among all employees. A mandatory e-learning course available in 14 languages was launched successively in all countries and group functions. 75 percent of employees were trained during 2015, and roll out will continue in 2016. Additionally, local training activities were run for employees and certain subcontractors.

Improving control over the supply chain

To improve control over our supply chain, a guideline for privacy in outsourcing was approved and a training course covering the guideline was offered to privacy officers. The guideline describes privacy requirements and risks to be considered during the stages of the outsourcing process.

Planned activities in 2016

In 2016 we will focus on ensuring “privacy by design” by rolling out the privacy impact assessment method in group functions and regions Sweden and Europe.

We aim to increase transparency about collecting and use of personal data by ensuring that comprehensive, easy to understand information is available to customers.

We will continue to assess the impacts of the new EU Data Protection Regulation and initiate actions to ensure timely implementation of the requirements and appropriate mitigation of legal risks.

The work to continuously assess risks, maintain and execute mitigation activity plans, follow up progress as well as increase awareness and expertise will continue.

CASE:

Security Health Check

“Security Health Check” was launched as a concept to assist countries in identifying gaps in their security measures related to protecting information such as customer personal data, and defining changes in ways of working, processes and technologies used. During 2015, this activity was completed in most of TeliaSonera majority owned companies, with local action plans agreed.

Security Health Check is a joint effort from group technology and group security to share best practices and learn about the local business environment to define the most fitting solutions for identified problems. The health check takes a practical and engaging approach: employees are encouraged to openly bring up security issues that trouble them, discuss suggestions for improvement and see how other functions across the group have solved similar problems. As a result of the open collaboration, the health check has started to create a community where employees on all levels can share their experiences.

© TeliaSonera 2015
In the event of any differences between this online version of the Annual and sustainability report and the printed version, the printed version shall prevail.