Growing focus on customer privacy
It is highly challenging to establish and uphold “bullet-proof” privacy protection in increasingly sophisticated data environments and in ever-changing technical and threat landscapes. Vast amounts of data are generated when our customers use services and our networks. New ways of connecting and data-heavy business models make it difficult for individuals to retain control over how their data is collected and used. According to the Eurobarometer 2015 – Data Protection, trust in the ability of online service providers and telecom companies to protect privacy is low.
In light of events in recent years, there is a growing focus on privacy from the societal, operator and customer perspectives. We foresee that customer privacy will become increasingly important to manage as customer expectations increase and legislation is strengthened in the EU and other markets.
»It is challenging to establish and uphold “bullet-proof” privacy protection in increasingly sophisticated data environments and in ever-changing technical and threat landscapes.«
We need to continuously assess risks, build awareness among employees and suppliers, include privacy controls in relevant processes as well as integrate privacy safeguards into our IT infrastructure.
The customer privacy organization consists of the group privacy owner and group privacy officer, as well as privacy officers in local companies and group functions. It is responsible for developing and implementing customer privacy governance and supporting line organizations in their work to implement our policies and comply with local requirements. During the year, the group customer privacy organization was strengthened significantly to better support local policy implementation and integration of customer privacy into the IT architecture.
Activities during the year
During 2015, the main focus was on further strengthening governance and increasing awareness as well as on implementation and risk mitigation activities.
Privacy by design
We consider “privacy by design” – taking privacy requirements into account at the earliest possible stage – as one of the key privacy principles supporting our efforts to ensure that customer privacy is respected. For this reason, an impact assessment method for assessing risks, compliance and impacts on customer privacy was developed, and its implementation into the project management process was initiated.
Gap and risk assessments
All except one local company completed customer privacy gap and risk assessments and updated their mitigation roadmaps. The assessment results and measures to address risks varied, reflecting differences in maturity. In general, the results indicated that despite our efforts so far, we must increase our focus on the “privacy by design” approach, deletion or anonymization of data, development of risk management processes, increasing awareness and ensuring control over our supply chain. Implementation projects and initiatives to execute risk mitigation roadmaps and close identified compliance gaps are ongoing.
Reviews and audits
A privacy and security compliance monitoring process was developed and the first measurement results focusing on information, IT and network security were analyzed during the third quarter. In addition, on-site customer privacy reviews were performed by group internal audit in three countries. Subsequently, action plans were agreed upon regarding key areas such as training.
Customer privacy training
Significant effort was put into increasing awareness among all employees. A mandatory e-learning course available in 14 languages was launched successively in all countries and group functions. 75 percent of employees were trained during 2015, and roll out will continue in 2016. Additionally, local training activities were run for employees and certain subcontractors.
Improving control over the supply chain
To improve control over our supply chain, a guideline for privacy in outsourcing was approved and a training course covering the guideline was offered to privacy officers. The guideline describes privacy requirements and risks to be considered during the stages of the outsourcing process.
Planned activities in 2016
In 2016 we will focus on ensuring “privacy by design” by rolling out the privacy impact assessment method in group functions and regions Sweden and Europe.
We aim to increase transparency about collecting and use of personal data by ensuring that comprehensive, easy to understand information is available to customers.
We will continue to assess the impacts of the new EU Data Protection Regulation and initiate actions to ensure timely implementation of the requirements and appropriate mitigation of legal risks.
The work to continuously assess risks, maintain and execute mitigation activity plans, follow up progress as well as increase awareness and expertise will continue.