Vodafone 2024 Annual Report

45 Vodafone Group Plc Annual Report 2024

Strategic report

Governance

Financials

Other information

Customers Responsible use of data

Our customer privacy statements and other customer-facing documents provide comprehensive information on how these rights can be exercised and how to raise complaints or contact the relevant data protection authority. Our frontline retail and customer support staff are trained to respond to customer requests. Our state-of-the-art, multi-channel permission management approach has been deployed across our channels (MyVodafone app, website, call centres and retail stores) since 2018. This approach allows our customers to control how we use their data for marketing and other purposes at any time and the permissions are synchronised across our channels. For example, customers can: – Opt-in for the processing of special categories of data; – Choose what data we collect through the MyVodafone app and how it is used; – Opt-out from marketing across different channels (call, SMS, notifications), or opt-in to the use of their communications metadata for marketing purposes or for receiving third-party marketing messages; and – Opt-out from the use of anonymised network and location data (‘Vodafone Analytics’). Click to read more about our privacy policies: vodafone.com/privacy Operating model We have an experienced team of privacy specialists dedicated to ensuring compliance with data protection laws and our policies in the countries where we operate. We have a clear process for managing privacy risks across the data life cycle and teams from across Vodafone ensure end-to-end coverage. Dedicated security teams are tasked with applying appropriate technical and organisational information security measures to protect personal data against unauthorised access, disclosure, loss or use during transit and at rest. Read more about cyber security on pages 46 to 51 All products, services and processes are subject to privacy impact assessments as part of their development and throughout their life cycle. We maintain personal data processing records, supplier privacy compliance, data breach management and individual rights processes, as well as internal and international data transfer compliance frameworks, and training and awareness programmes. In our supply chain, privacy and security requirements form a key part of our supplier management processes. All suppliers go through a thorough onboarding process to verify their adherence to these requirements, with appropriate data protection measures and continuous monitoring agreed. Our teams monitor and influence regulatory and industry developments and work to build and maintain relationships with local data protection authorities and other key stakeholders. Our privacy control frameworks are subject to continuous risk-based improvements. In addition to introducing updates to our global privacy controls, we also require every employee, and where possible contractors, to complete DWR privacy training within six weeks of joining. In addition, they need to complete refresher courses in line with our annual learning intervention cycle. We also have targeted training for high-risk teams with a key role in personal data processing. With this approach we aim to achieve a 90% completion rate on both types of training for all target groups across our global footprint. In FY24, 94% of assigned employees completed DWR or more specific privacy training. The effectiveness of control implementation is subject to quarterly reporting, and annual evidence-based testing by the privacy teams, as well as internal audit. Control implementation is also reviewed by local market CEOs, the Group Risk and Compliance Committee and the Audit and Risk Committee. Any findings are subject to remedial actions by the responsible control operator, and completion is monitored.

Privacy risks As data volumes continue to grow and regulatory and customer scrutiny increases, it is important to be clear on the privacy risks we face, as well as how our policies and programmes can mitigate these. We categorise data privacy risk into three main areas: – Collection: collection of personal data without permissions, or excessive collection of data; – Access & use: use of personal data for unauthorised purposes, excessive data retention or poor data quality; and – Sharing: unauthorised disclosure of personal data, including supplier non-compliance with the law or our own policies. To help us identify and manage evolving risks, we constantly evaluate our business strategy, new technologies, products and services, as well as government policies and regulation. Privacy principles Our privacy programme governs how we collect, use and manage our customers’ personal data to ensure we respect the confidentiality of their communications and any choices that they have made regarding the use of their data. Our privacy programme is based on the following principles: accountability; fairness and lawfulness; choice and access; security safeguards; privacy by design; openness and honesty; responsible data management; and balance. Click to read more about our privacy principles and how they guide the way our products are designed and built: vodafone.com/privacy Using customer data We want to enable our customers to get the most out of our products and services. To provide these services, we need to use our customers’ personal information. We aim to protect our customers’ data and only to use it for a stated and specific purpose, and we are always open about what customer data we collect, and why we collect it. Click to read more about uses of customer data: investors.vodafone.com/sasb Each local market publishes a privacy statement to provide clear, transparent and relevant information on how we collect and use personal data, what choices are available regarding its use and how customers can exercise their rights. Our product-specific privacy notices include details relating to a particular product. These statements and notices are available to customers online, in the MyVodafone app and in our retail stores. We provide our customers with access to their data through online and physical channels. These channels can be used to request deletion of data that is no longer necessary, or for correcting outdated or incorrect data, or for data portability. Millions of people communicate and share information over our networks, enabling them to connect, innovate and prosper. Customers trust us with their data and maintaining this trust is critical. Data privacy We believe that everyone has a right to privacy wherever they live in the world, and our commitment to our customers’ privacy goes beyond legal compliance. As a result, our privacy programme applies globally, irrespective of whether there are local data protection or privacy laws. Our privacy management policy is based on the European Union General Data Protection Regulation (‘GDPR’) and this is applied across Vodafone markets both inside and outside the European Economic Area. Our privacy management policy establishes a framework within which local data protection and privacy laws are respected and sets a baseline for those markets where there are no equivalent legal requirements. Click or scan to watch our privacy experts summarise our approach to data privacy: investors.vodafone.com/videos

Note: 1. Includes Vodafone Italy and Vodafone Spain.

Powered by