Global consumer goods manufacturer Unilever has set up a programme to address privacy issues relating to customer data, says Steve Wright, global privacy officer at the company.
He said regulatory compliance was not the only driver for establishing a privacy programme that seeks to address the challenges presented by continually evolving technology, threats and legislation.
“We not only have a legal responsibility, but also an ethical and moral responsibility to consumers,” he told the London SC Congress 2014.
Consequently, Unilever takes privacy extremely seriously and has adopted a pragmatic approach rather than a legal compliance approach that is applied uniformly around the world, said Wright.
However, compliance is still a factor and the two key issues facing multinational companies, he said, is where personal data is stored and the issue of consent to use personal information of customers.
The company is already gearing up to deal with the changes proposed in the delayed process of updating European data protection legislation.
The latest draft of the proposed new data protection regulation indicates increased requirements around explicit consent and transparency with regard to collecting and using personal customer data.
“This will be a bit of a game changer because in the past with things like competitions, a lot of consent has been implicit,” said Wright.
The proposed mandatory breach notification requirement is another challenge that the new data protection legislation will introduce.
“Although we have processes for recording incidents, it will be difficult to be able to report on that, particularly within the time frames being considered,” said Wright.
More on the proposed EU data protection regulation
- Legal briefing: The Draft EU General Data Protection Regulation
- EU Data Protection Regulation: fines up to €100m proposed
- A legal analysis of the updated EU General Data Protection Regulation
- EU data protection regulators begin action against Google
- Data Protection Masterclass: New EU Data Protection Regulation
- Data protection: Preparing for new EU regulations
- MEPs adopt draft reformed data protection rules
- Essential guide: EU Data Protection Regulation
- UK CIOs see EU regulation as key
- The implications for storage of EU data protection regulation
“It will be a massive undertaking, a big challenge to be able to spot and contain a data breach and at the same time determine whether personal data is involved and report on that quickly,” he said.
In preparation for this challenge, Unilever is engaging with its industry peers to benchmark its position and learn from others on how best to adapt.
“Younger, smaller online businesses have the advantage of greater agility and of having privacy by design already built in.
“For us it is more of a challenge, but it is as much about winning hearts and minds as it is about business processes,” said Wright.
Although largely it is fallacious that younger generations of people do not care as much about their privacy, he said the challenge in the workplace is setting the boundary between social and work activity online.
“With younger people coming into the workforce, this line is becoming increasingly blurred,” said Wright.
In the competitive consumer goods market, he said, data is increasingly important to be able to “laser target” advertising.
“Growing the trust relationship comes back to consent and transparency, which are key to enabling businesses to do more with customer data,” said Wright.
One tip Unilever can pass on, he said, is to review privacy regulations in all the jurisdictions a company trades in and boil that down to as small a set of rules that satisfy all requirements.
“We reduced the requirements of more than 100 laws and regulations around the world to just 36 principles that govern all our businesses processes around the world,” said Wright.
Although this goes a long way to ensuring compliance, he said for large companies, keeping track of where the data is stored remains an ongoing challenge.