Privacy is for everyone
Millions of people communicate and share information over our networks, enabling them to connect, innovate and prosper. Customers trust us with their data and maintaining this trust is critical.
We believe that everyone has a right to privacy, wherever they live in the world and our commitment to our customers’ privacy goes beyond legal compliance. As a result, our privacy programme applies globally, irrespective of whether there are local data protection or privacy laws. Our Privacy Management Policy is based on the European Union General Data Protection Regulation (‘GDPR’) and this is applied across Vodafone markets both inside and outside the European Economic Area. Our privacy management policy establishes a framework within which local data protection and privacy laws are respected and sets a baseline for those markets where there are no specific legal requirements.
We always seek to respect and protect the right to privacy, including our customers’ lawful rights to hold and express opinions and share information and ideas without interference. At the same time, as a licensed national operator, we are obliged to comply with lawful orders from national authorities and the judiciary, including law enforcement.
Managing privacy
As data volumes continue to grow and regulatory and customer scrutiny increases, it is important to be clear on the privacy risks we face, as well as how our policies and programmes can mitigate these risks.
To help us identify and manage evolving risks, we constantly evaluate our business strategy, new technologies, products and services as well as government policies and regulation.
We categorise data privacy risk into three main areas:
Collection
Collection of personal data without permissions or excessive collection of data.
Access & use
Use of personal data for unauthorised purposes, excessive data retention or poor data quality.
Sharing
Unauthorised disclosure of personal data, including supplier non-compliance.
Privacy principles
Our privacy programme governs how we collect, use and manage our customers’ personal data to ensure we respect the confidentiality of their communications and any choices that they have made regarding the use of their data.
Our privacy programme is based on the following principles:
Accountability
We are accountable for living up to our commitments throughout Vodafone and with our partners and suppliers.
Choice and access
We give people the ability to make simple and meaningful choices about their privacy and allow individuals, where appropriate, to access, update or delete their personal data.
Privacy by design
Respect for privacy is a key component in the design, development and delivery of our products and services.
Responsible data management
We apply appropriate data management practices to govern the processing of personal data. We carefully select external partners and we limit disclosure of personal data to what is described in our privacy notices or to what has been authorised by our customers. We also ensure that personal data is not stored for longer than what is necessary or as is required by applicable laws and to maintain accuracy of data.
Fairness and lawfulness
We comply with privacy laws and act with integrity and fairness. We also actively engage with stakeholders, including civil society, academic institutions, industry and government, in order to share our expertise, learn from others, and shape better, more meaningful privacy laws and standards.
Security safeguards
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, use, modification or loss.
Openness and honesty
We communicate clearly about our actions that may impact privacy, we ensure our actions reflect our words and we are open to feedback.
Balance
When we are required to balance the right to privacy against other obligations necessary for a free and secure society, we work to minimise privacy impacts.
Using customer data
Our mission is to enable our customers to get the most out of our products and services. In order to provide these services, we need to use our customers’ personal information. We are committed to looking after our customers’ data, using it for its stated purpose, and we are always open about what we collect.
Operating model
We have an experienced team of privacy specialists dedicated to ensuring compliance with data protection laws and our policies in the countries where we operate.
We apply a process-based approach to managing privacy risks across the data lifecycle and work closely with Cyber and Corporate Security, Products, IT & Digital, Networks, HR, Finance, Supply Chain and other teams to ensure end-to-end coverage. Dedicated security teams ensure appropriate technical and organisational information security measures are applied to protect personal data against unauthorised access, disclosure, loss or use during transit and at rest.
A privacy first approach
All products, services and processes are subject to privacy impact assessments as part of their development and throughout their lifecycle. We maintain Personal Data Processing Records, Supplier Privacy Compliance, Data Breach Management and Individual Rights processes, as well as Internal and International Data Transfer compliance frameworks and training and awareness programmes.
Our teams monitor and influence regulatory and industry developments and work to build and maintain relationships with local data protection authorities and other key stakeholders.
Privacy training for all
Our privacy control frameworks are subject to continuous risk-based improvements. In addition to introducing updates to our global privacy controls, we have also introduced an updated privacy module that is part of our mandatory ‘Doing What’s Right’ training. Every employee and non-employee must complete the training within six weeks of joining Vodafone and then every two years. We have also refined training for high-risk roles aimed at teams with a key role in personal data processing. With the updated approach we aim to achieve 90% completion rate on both types of training across all target groups across our global footprint.
The effectiveness of control implementation is subject to regular reporting and testing by the privacy teams and internal audit. Any findings are subject to remedial actions by the responsible control operator, and completion is monitored.
Governance
Privacy Policy management
The Group General Counsel and Company Secretary, a member of the Group Executive Committee, oversees the global privacy programme. The Group Privacy Officer, reporting to the Group General Counsel, is responsible for managing and overseeing the privacy programme on a day to day basis across the markets and provides regular status reports to Group General Counsel and an annual update to the Group Audit and Risk Committee.
Key roles and responsibilities
Whilst each employee is responsible for protecting personal data they are trusted with, accountability for compliance sits with each operating company. A member of the local executive committee oversees the local implementation of our privacy programme. Each operating company also has a dedicated privacy officer, privacy legal counsel and their privacy specialists. Local privacy officers report to Group Privacy Officer throughout the year.
Working in partnership
The Privacy Leadership Team approves new standards and guidelines and monitors the implementation of global privacy plans. Operating companies also maintain privacy steering committees that bring together privacy and security teams and senior management from relevant business functions.
Monitoring and response
Vodafone monitors compliance with privacy controls and has an experienced team to manage incidents.
Our privacy controls are subject to rigorous and regular evidence based testing by our Privacy Governance, Risk and Compliance team. In addition, our Internal Audit teams performs audit on selected privacy controls and business activities with particular privacy relevance. Possible findings are subject to mitigation plans and heightened monitoring, as the case may be.
Our processes ensure that any identified incidents are contained and steps will be taken to mitigate any negative effects. Where required, we will notify regulators as well as our customers.
To learn about how we have dealt with privacy incidents please view our annual report.
For details on how we respond to a data breach, please visit our cyber security page.
Permissions management
At Vodafone we give control to our customers when it comes to use of their data. Each Vodafone local market has a centralised permissions platform to help customers manage their preferences in near real-time.
Our strategy in action
No results found