In the constantly changing digital landscape, we seek to anticipate and respond to evolving consumer expectations, security threats and regulation concerning data privacy.
Nestlé treats the personal data of our consumers, employees and other stakeholders with the utmost respect and transparency. The challenge we face is to be a leader in digital marketing, while at all times maintaining consumer trust in our ability to safeguard their personal data.
Our goal is to make privacy part of the design of our businesses and organisation. We engage closely with external stakeholders to anticipate and respond to changes in consumers’ expectations, security threats and regulation. We work with partners to ensure privacy compliance in all their activities for Nestlé. Several of our data privacy professionals are members of data privacy organisations and actively participate in the external debate. We also engage on data privacy issues with national and regional regulators, either directly or through industry associations.
Our approach is founded on our internal data privacy governance framework, which consists of clear, robust internal standards and an organisational structure empowered to enforce it.
- Only be processed for specific and legitimate business purposes;
- Be processed fairly and lawfully;
- Be properly managed;
- Be protected against unauthorised processing and damage;
- Be accessible when in the form of data collections; and
- Not be transferred to third parties or other countries without adequate safeguards.
Additional restrictions apply to processing sensitive personal data.
To the best of our knowledge, we have one substantiated data breach complaint to report for 2014. The complaint was submitted by a consumer and related to data collected in relation to a consumer promotion. Our investigation showed that the issue originated with a sub-contractor of an agency that Nestlé had engaged for the promotion. The issue was remedied immediately, the consumer was informed and steps were taken to prevent similar incidents in the future. The incident had no further repercussions.
Simultaneously, we seek to reinforce capabilities and controls across the Group, and Nestlé’s Data Protection Office verifies compliance with our internal standards and provides advice, support and guidance on its implementation. It is supported by Data Privacy Officers and Champions in our businesses and functions. The organisation will be further strengthened during 2015, when we plan to build even greater data protection competencies across the Group.
- We reinforced our internal privacy compliance framework in relation to digital marketing activities, with a new binding internal standard and new processes applicable to all employees and contractors involved in this business area. The standard requires that a privacy impact assessment is made ahead of initiating projects involving digital platforms, and that all such platforms are registered centrally for improved control and monitoring.
- We completed the project started in 2013 to remove inconsistencies in how we inform consumers of their privacy rights. Building on this, we have started several initiatives to communicate our privacy notices to consumers clearly and concisely.
- We pursued our efforts to obtain ISO 27001 certifications in key data privacy areas, including for human resources, consumer services and information services and technology. In 2014, we obtained nine certifications.
- We developed company-wide e-training on data privacy, which we will begin rolling out across the organisation beginning 2015.
- We recruited a Senior Legal Counsel Data Privacy to lead efforts in the field of data privacy within the Group.