At the recent Europe Data Protection Congress in Brussels, Belgium, the IAPP named Vodafone the 2019 recipient of the HPE-IAPP Privacy Innovation Award. Vodafone was honored for its global privacy program that is compliant with the EU General Data Protection Regulation. The telecommunications company has created an integrated privacy, security and ethics control framework that ensures data governance and use extends beyond legal compliance and social acceptability to implement privacy as business as usual, anywhere in the world.
The HPE-IAPP Privacy Innovation Awards recognize unique programs and services in global privacy and data protection in the private and public sectors that integrate privacy so that its value both as a competitive differentiator and a centerpiece of customer trust is elevated.
“It’s really, really fantastic,” Vodafone Global Privacy Officer and Head of Legal, Privacy, Security and Content Standards Mikko Niva said of the award. “It’s not just a recognition for us as a privacy team, but also for Vodafone as an organization that really takes these things very seriously” and wants to go beyond compliance to do what’s right for its customers. “It’s a massive honor. We set ourselves apart to be one of the best privacy teams in the world, and this just feels like a major milestone on that path.”
As one of the world’s largest telecommunications technology companies — providing services in Europe, the Middle East, Africa and Asia-Pacific region — Vodafone processes a significant amount of sensitive personal data. The company sought to do so in a way that goes further than what is required to improve “the lives of our customers” and also “protect their privacy.”
A global model then, he said, was an obvious choice.
“We don’t believe in privacy haves and privacy have nots. Privacy is a human right that is obviously enjoyed by everyone irrespective of their national laws. We as a company do recognize that,” he said. “It’s all about being fair. It’s all about promoting sound values of fairness, transparency and accountability wherever we operate, not just where we have to promote these things.”
While Vodafone had a global privacy program before the GDPR was implemented in May 2018, the company saw the regulation as an opportunity to embed privacy into its operations anywhere in the world. It started with local markets in Europe and then extended its program to local operating companies, subsidiaries and partners across the globe, according to Global Privacy Program Manager Georgina Kearney, CIPP/E.
“The GDPR was an opportunity for us to define better, in more detail, what the requirements were, what the deliverables were, to be GDPR compliant. It worked so well that it’s now repurposed also for our non-European markets,” she said. “It wasn’t something that was new; it was something that was enhanced. We took the GDPR as an opportunity to roll it out better.”
Vodafone offers its privacy program as a product to assist partner markets with their own frameworks. It has also developed a “human impact assessment” to evaluate risks to an individual’s right to privacy when considering products, services and data initiatives.
Across its markets, Niva said Vodafone’s privacy team is made up of approximately 100 staff members, with each market having its own privacy team. Adding those who contribute to privacy activities in various ways, that number increases to thousands of “privacy champions,” he said.
“There’s been a dramatic improvement in the maturity of the privacy profession,” Niva said. “When you look at it, one of the biggest challenges probably for all companies doing this massive GDPR exercise is to get to a maturity in the organization where the organization recognizes privacy almost as a regime of its own right. It’s not merely a subset of the legal or some other department. It is its own thing.”
Vodafone’s privacy program has “had a huge impact,” Niva said, and has “really driven the right type of responsible attitude across the organization.”
“People do understand that failure in these things is not really an option, that it’s an essential part of our values and purpose.”
Top photo: Vodafone Senior Global Privacy Program Manager Peter Strasser and Global Privacy Program Senior Manager Terry Evetts, CIPP/E, CIPM, FIP, accept the 2019 HPE-IAPP Privacy Innovation Award from HPE Senior Privacy Counsel Julia Bonder-Le Berre, CIPM.