Vodafone 2024 Annual Report

Purpose (continued) 46 Vodafone Group Plc Annual Report 2024

Strategic report

Governance

Financials

Other information

Cyber security Strategy Our cyber security strategy

Governance The General Counsel and Company Secretary, a member of the Executive Committee, oversees the global privacy programme. The Group Privacy Officer, reporting to the General Counsel, is responsible for managing and overseeing the privacy programme on a day-to-day basis across the markets and provides regular status reports to the General Counsel and Company Secretary and an annual update to the Audit and Risk Committee. During the year, the Group Chief Executive conducted regular compliance reviews, to seek to ensure operating companies were adhering to the Group’s policies and procedures. This included oversight of our privacy programme. Whilst each employee is responsible for protecting personal data they are trusted with, accountability for compliance sits with each operating company. A member of the local executive committee oversees the local implementation of our privacy programme. Each operating company also has a dedicated privacy officer, privacy legal counsel and other privacy specialists. Local privacy officers report to the Group Privacy Officer throughout the year. The privacy leadership team approves new standards and guidelines and monitors the implementation of global privacy plans. Operating companies also maintain privacy steering committees that bring together privacy and security teams and senior management from relevant business functions. Privacy incidents We have a strong culture of data privacy and our assurance and monitoring activities are designed to identify potential issues before they materialise. However, during the financial year, excluding Italy and Spain, Vodafone was fined €42,000 (FY23: €65,000) for separate data privacy issues, primarily relating to marketing without consent, human and system errors in data processing, and delayed execution of data subject rights. In response, we have introduced new standards and increased monitoring. Read more about how we respond to a data breach on pages 46 to 51 Vodafone’s approach to responsible artificial intelligence (‘AI’) Vodafone’s AI governance approach demonstrates our desire to engage with AI in an ethical and responsible manner for the benefit of customers, employees, and society. We first released our ethical AI framework in 2019. We have further formalised our governance of AI. The AI Governance Board is a senior steering group that defines strategy and policy for AI and monitors its execution. The board is chaired by the Vodafone Chief Commercial Officer, and is attended by the CEO of Vodafone Business, Chief Technology Officer, Chief HR Officer and Chief Legal Officer. The AI Governance Board is supported by the following functions: the Global AI Data and Analytics function leads the deployment of the AI initiatives. The AI innovation team drives AI innovation. HR is responsible for upskilling our workforce, and the Responsible AI Office ensures compliance and ethical use of AI, together with our Secure and Privacy by Design and External Affairs teams. Case study: De-risking personal data with synthetic data Privacy enhancing technologies (‘PET’s) reduce the risks associated with personal data. PETs are part of Vodafone’s privacy risk management approach. Vodafone has been experimenting with synthetic data recently. Synthetic data is data that is artificially created instead of collected from real-world events, it is produced by algorithms and is used, for example, to replace test data sets of production or operational data, test mathematical models, train machine learning models, or run different analytics use cases. Synthetic data is not personal data, but it maintains the statistical features of the original data. This means it can be used for many use cases without regulatory obstacles. C lick to read more about our approach to artificial intelligence vodafone.com/privacy

Our vision is a secure connected future for our customers and society. We are motivated by a clear purpose to inspire customer trust and loyalty through providing sustained cyber security, ultimately contributing to a secure society and an inclusive future for all. Our cyber security strategy and operating model support our vision and goals, and form part of our wider Company strategy. Each year we refresh our cyber security strategy and every five years redevelop the cyber security strategy based on changes in the internal and external environment. Our strategy is based on core principles, including: – Act as an enabler for the business; – Be proactive, risk and threat-led, supported by data-driven decisions, automation and digitalisation; – Build and assure security in all products and services; and – Simplify architecture though partnership with key suppliers. To implement these principles, our strategy is delivered through six pillars of change: Control evolution: Maintain and improve our security controls and procedures beyond the existing cyber security baseline with an adaptive and risk-based framework; Secure by design: All products and services have security built in, whether we build them ourselves or buy them from vendors; Dynamic trust: Strong zero-trust security based on dynamic risk-based access that is frictionless for users: for example, multi- factor authentication and moving away from passwords; Real-time data and real-time response: The next generation of our detection and response capability, more automated and based on advanced analytics; Spirit of Vodafone and cyber culture: Engaging our people, nurturing our engineering community and Group-wide cyber security training and simulations; and Security for society: Collaborate widely to encourage standardisation, share intelligence, and engage on regulation. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security. We track progress against these priorities throughout the year. Year ahead The priorities for the coming year include updating and redeveloping our cyber security strategy in line with future technology changes and expected threats. This strategy will position us to manage changes in technology, threats and the external environment. Key priorities for the year include: – Design and development of a new security operations platform; – Further strengthening of identity, access control and authentication; – End-to-end security of our telecommunications networks, transforming how we manage the security of our third parties; and – New adaptive cyber risk methodology. Alongside these priorities, we continue to focus on security control improvement, efficiency and automation, including automation of key risk indicators that provide data driven measurement of our security position. Click or scan to watch our cyber security experts summarise our approach to cyber security: investors.vodafone.com/videos Click to read our cyber security factsheet: investors.vodafone.com/ cyber

Powered by