Vodafone 2025 Annual Report

Vodafone Group Plc Annual Report 2025 47

Strategic report

Governance

Financials

Other information

Our approach continued

Privacy compliance We have an experienced team of privacy specialists dedicated to ensuring compliance with data protection laws and our policies in the countries where we operate. Our privacy controls frameworks are subject to periodic review and risk based evaluation to identify and implement areas for improvement. In addition to introducing updates to our global privacy controls, we also require every employee, and where possible contractors, to complete our Doing What’s Right (‘DWR’) privacy training within six weeks of joining. In addition, they need to complete refresher courses in line with our annual learning intervention cycle. We also have targeted training for high-risk teams with a key role in personal data processing. We have a clear process for managing privacy risks across the data life cycle, and teams from across Vodafone ensure end-to-end coverage. Dedicated security teams are tasked with applying appropriate technical and organisational information security measures to protect personal data against unauthorised access, disclosure, loss or use during transit and at rest. R ead more about cyber security on pages 48 to 52 All products, services and processes are subject to privacy impact assessments as part of their development and throughout their life cycle. We maintain personal data processing records, supplier privacy compliance, data breach management and individual rights processes, and internal and international data transfer compliance frameworks, as well as training and awareness programmes.

In our supply chain, privacy and security requirements form a key part of our supplier management processes. All suppliers go through a thorough onboarding process to verify their adherence to these requirements, with appropriate data protection measures and continuous monitoring agreed. Our teams monitor and influence regulatory as well as industry developments and work to build and maintain relationships with local data protection authorities and other key stakeholders. The effectiveness of control implementation is subject to quarterly reporting and annual evidence-based testing by the privacy teams, as well as internal audit. Control implementation is also reviewed by local market CEOs, the Group Risk and Compliance Committee and the Audit and Risk Committee. Any findings are subject to remedial actions by the responsible control operator, and their completion is monitored. Responding to privacy incidents We have dedicated standards and monitoring (covering both internal process implementation effectiveness and reference external cases) to prevent, identify, contain, and report incidents with lessons learnt to all internal and external stakeholders as necessary. Our performance We aim to achieve a 90% completion rate on both generic (DWR) and specific (high risk role) trainings for all target groups across our global footprint. In FY25, 89% of assigned employees completed DWR or more specific privacy training. We aim to avoid any data breach or data misuse resulting in material impacts. We have a strong culture of data privacy, and our assurance and monitoring activities are designed to identify potential issues before they materialise and as a result Vodafone did not receive material fine during the financial year.

Vodafone’s approach to responsible artificial intelligence (‘AI’) Vodafone’s AI governance approach demonstrates our desire to engage with AI in an ethical and responsible manner for the benefit of customers, employees, and society. We first released our ethical AI framework in 2019. We have further formalised our governance of AI. The AI Governance Board is a senior steering group that defines strategy and policy for AI and monitors its execution. The board is chaired by the Vodafone Chief Technology Officer and is attended by the CEO of Vodafone Business, Group Commercial Function Director, Chief HR Officer, General Counsel, and Company Secretary. The AI Governance Board is supported by the following functions: the Global AI Data and Analytics function leads the deployment of the AI initiatives. The AI innovation team drives AI innovation. HR is responsible for upskilling our workforce, and the Responsible AI Office ensures compliance with and ethical use of AI, together with our Secure and Privacy by Design and External Affairs teams. Recently, we have rolled out an internal risk assessment for AI applications to continue managing the ever-increasing risk for AI. Additionally, we have implemented a set of responsible AI guardrails to our internal AI development platforms making sure that there is a set of controls mitigating known risk domains for generative AI applications. On the external front, Vodafone contributed to the development and launch of the GSMA Responsible AI Maturity Roadmap and is a standing member of the GSMA Responsible AI working group. We have also signed up to the AI Pact operated by the AI Office in the form of a voluntary pledge.

The privacy leadership team approves new standards and guidelines and monitors the implementation of global privacy plans. Operating companies also maintain Privacy Steering Committees that bring together privacy and security teams and senior management from relevant business functions. Enabling customers to control their data Our state-of-the-art, multi-channel permission management approach has been deployed across our channels (MyVodafone app, website, call centres and retail stores) since 2018. This approach allows our customers to control how we use their data for marketing and other purposes at any time and the permissions are synchronised across our channels. For example, customers can: – Opt in for the processing of special categories of data; – Choose what data we collect through the MyVodafone app and how it is used; – Opt out from marketing across different channels (call, SMS, notifications), or opt-in to the use of their communications metadata for marketing purposes or for receiving third-party marketing messages; and – Opt out from the use of anonymised network and location data (‘Vodafone Analytics’). Click to read more about uses of customer data: investors.vodafone.com/sasb