- Respect and protect our customers’ privacy
- We are regarded as a trusted actor in handling personal data on the customer’s terms
- Established group-wide EU General Data Protection Regulation (GDPR) compliance program and ran local projects in relevant markets
- Carried out detailed data mapping according to GDPR requirements in core markets
- Developed detailed legal interpretations for all key GDPR areas to ensure harmonized implementation of legal obligations across core markets
Meet the GDPR requirements to a sufficient level, including:
- Implement sufficient “privacy by design” processes
- Implement sufficient processes for handling users’ rights such as consent, objections and right to access
- Provide user-friendly means to ensure users have control of how personal data is processed
- Provide clear and easy to understand information about processing of personal data
- Execute final GDPR risk mitigation activities in accordance with mitigation plans
- Establish user friendly means of handing data subjects’ rights
- Ensure sufficient IT solutions are implemented to meet new requirements
- Continue to analyze how third parties meet our personal data processing requirements
- Develop additional common legal interpretations
Our work focuses on meeting the requirements in the EU General Data Protection Regulation (GDPR), which will come into effect in May 2018.
GDPR compliance governance is handled within a program that addresses all aspects of GDPR. The program, which was established and executed in 2017, covers core markets as well as group functions. The group GDPR program is working to achieve common synergies through sharing best practices as well as common legal interpretations and common solutions.
Each country and group function GDPR project within the program is run and controlled by a project manager as well as a local or group privacy officer. The program is governed by an executive steering committee. Members include the Chief Operating Officer, executives from each country and representatives from the corporate affairs, commercial and security functions. Subsidiaries are accountable for ensuring compliance and risk mitigation.
Work during the year
Detailed data mapping
Telia Company began implementing mitigation of the gaps that were identified in the GDPR gap assessments carried out in 2016. We performed detailed data mapping in group functions and subsidiaries, identifying all purposes for processing personal data and linking these to applicable legal grounds that ensure that the processing is legitimate under GDPR. Technical solutions for fulfilling GDPR requirements based on data mapping are under design or under implementation.
In addition, to address new data processing instructions from Telia Company, the group sourcing function analyzed suppliers that process personal data on behalf of Telia Company. The analysis will continue in 2018.
Detailed legal interpretations
Several comprehensive legal interpretations that provide detailed internal guidance on how to apply requirements of key aspects of GDPR were finalized. More guidelines will be developed to ensure a common understanding within the group of our legal obligations as well as to provide relevant practical recommendations.
External audits analyze GDPR readiness
During 2017, an external law firm performed two in-depth audits of subsidiaries in core markets as well as group functions on the readiness to comply with GDPR by the time it enters into force. The scope of the first audit was to provide a high-level analysis on the possible risks for failing to reach GDPR compliance by May 2018. The follow-up audit focused on evaluating if the mitigation activities carried out were sufficient.
As part of both audits, documentation prepared by the local company and group functions projects, including detailed deliverables plans and solutions, was reviewed for the purpose of understanding the requirements and ambition level for GDPR compliance within Telia Company. In addition, interviews were conducted with employees within the local companies and working within the group functions’ GDPR compliance projects.
The audit reports focus on issues and findings that at this stage may have an impact on the ability of local companies and group functions to achieve GDPR compliance in time. We are currently addressing the second audit findings and plan to conduct a final audit in early 2018.