Customer privacy

Vast amounts of data are generated when our customers use our services and networks. Customer privacy is becoming more important to manage as customer expectations increase and legislation is strengthened.

Strategic objective

2018 goals

2016 progress

  • Respect and protect our customers’ privacy.
  • We are regarded as a trusted actor in handling personal data on the customer’s terms.
  • “Privacy by design” implemented in all relevant project management processes.
  • All employees aware of the privacy requirements related to their work duties.
  • Clear and easy to understand information about processing personal data readily available to customers.
  • Mitigation of EU Data Protection Regulation (GDPR) compliance risks.
  • Privacy Impact Assessment process implemented in Telia Company’s project model.
  • Group-common “Privacy Notice” model created.
  • Local gap assessments against GDPR completed and risk mitigation roadmaps developed in regions Sweden and Europe.
  • Strengthened governance and resources to meet GDPR requirements.

The EU Data Protection Regulation (GDPR) was approved in April and will come into effect in May 2018. The new requirements will have a fundamental impact on our industry as the amount of personal data processed is increasing exponentially, cloud-based services and cross-border data transfers are becoming increasingly common, threat landscapes are rapidly changing and customer trust is a cornerstone for business.

In light of events in recent years, there is a growing focus on privacy from the societal, operator and customer perspectives. We foresee that customer privacy risks are becoming increasingly important to manage as customer expectations grow and legislation is strengthened in the EU and other markets. In addition, this area can also present new business opportunities.

Governance

Our work is guided by the group customer privacy policy that defines principles regarding collecting, processing and retaining personal data as well as customers’ rights. The group security policy defines measures to safeguard the confidentiality and integrity of customers’ personal data. In addition, the GDPR sets new requirements.

Group-wide governance for driving GDPR compliance and risk mitigation is led by a steering committee chaired by Telia Company’s Chief Operating Officer. This ensures strong group-level oversight and control over GDPR risk mitigation activities.

Country organizations and group functions are responsible for ensuring GDPR compliance and risk mitigation. This work is led by privacy officers appointed in each country and group function. Progress is regularly reported to local and regional GREC meetings and to Group Executive Management.

A group level privacy team, led by the group privacy officer, provides harmonized GDPR interpretations and guidance to local units, oversees risk mitigation status, performs reviews, and steers and follows up closely on implementation. In addition, external resources support development of processes and IT architecture as well as security safeguards in line with GDPR requirements.

Work during the year

GDPR gap assessments and mitigation plans

In 2016, the main focus was on preparing for the GDPR. Initial gap assessments were carried out by local privacy officers in regions Sweden and Europe, and on group level. The assessments focused on defining actions to ensure timely implementation of the requirements and appropriate risk mitigation. Group-level interpretations of the new requirements were developed and all privacy officers were trained in them. A specific data-mapping project was carried out to strengthen information asset and vendor management as well as to deliver an overview of data processing activities.

Privacy impact assessment integration

“Privacy by design” – taking privacy into account at the earliest possible stage of projects, initiatives and product development – is one of Telia Company’s key privacy policy principles. The privacy impact assessment model facilitates a privacy by design approach by proactively ensuring that the target design of a project or other initiative is compliant with laws and internal requirements from the early stages.

The privacy impact assessment process was integrated into Telia Company’s main project model as a mandatory activity. Project managers were also trained in the requirements.

Transparency of data processing

To increase the transparency of the collection and use of personal data, a group common “privacy notice” model was created to set a standard for how Telia Company provides information on data processing to customers. The privacy notice contains information on, for example, the reasons that personal data is processed and the rights customers have. Several local privacy notices were aligned with the common privacy notice model in regions Sweden and Europe.

Planned work in 2017

In 2017, the focus will be on executing GDPR risk mitigation activities in accordance with local and group-level mitigation plans. These include changes in our IT environment, processes and data processing practices as well as activities to continuously increase awareness and strengthen privacy governance. Relevant group policies and instructions will be revised to reflect the new GDPR requirements.

case

Telia in Norway develops "Trust
as a Service"

The GDPR is the biggest change in privacy regulation in over 20 years in Europe. As a member of the EEA, Norway will also implement the regulation.

Telia in Norway is developing a consent management solution with the goal of providing “Trust as a Service” between end-users and the applications they interact with. The service enables users to access their online personal data, focusing on the user’s right to control who gains access to their data and for what processing purposes. The solution is part of Telia Norway’s developer platform and will be available to any internal or external service provider in early 2017.

The service allows service providers – that is, any site, application or service – to create dialogs between them and end-users with regard to asking for consent for data processing. Once the user gives consent, the agreement is delivered to both parties in a format that links the agreed data processing into a human- and machine-readable format.

“Apart from the legal need to be compliant, privacy is rapidly becoming a defining issue of the digital era where consumer trust is essential for our success. To deliver on our brand promise on the customer’s terms, we must see GDPR as a business opportunity,” says Linn Hege M. Bade, Engineering Lead for User and Privacy Management at Telia in Norway.

 

customers.png