Implementation of the EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) entered into force in May 2016 and after a two-year transition period, the regulation has been binding since May 25, 2018. Since laws always require interpretation as to how they should be implemented in day-to-day life, the Group Privacy department has now prepared uniform rules for the entire Group: the Binding Interpretations. They were compiled in collaboration with data privacy experts in the national companies. The Binding Interpretations include specific recommendations and best practice examples to implement the EU regulation. For example, they explain what a customer consent must entail, or how customer data has to be erased, if this is requested by the customer. From January 2017 to May 25, 2018, the new requirements based on the Binding Interpretations were introduced throughout the Group in a second phase. This involved checking and, where necessary, adjusting all the IT-systems. All employees were informed about the General Data Protection Regulation and more than 10,000 experts received intensive training. The implementation was followed by the third and last phase of the EU-wide project: the control phase. In this phase, all affected entities of the Group were asked whether they had implemented all relevant requirements. In addition, spot checks for compliance with the GDPR were carried out at 28 entities.
Ensuring effective data privacy
The highest standards of data privacy and data security are core characteristics of our brand identity. In 2008 we created a Board of Management department for Data Privacy, Legal Affairs and Compliance as well as the Group Privacy unit. This has given us the necessary capacities for effective data protection. The responsible Board member is supported by the independent Data Privacy Advisory Board, which comprises renowned experts from politics, science, business and independent organizations. The Board was founded in February 2009.
The Telekom Security business unit commenced operations at the beginning of 2017. The new unit combines the security activities from various Group areas, thereby reinforcing our portfolio of cyber security solutions.
Consistent transparency toward the public
Transparent communication on the topic of data protection is a long-standing tradition at our company: We have been providing information about our activities since 2008, initially in regular data protection reports and, since 2016, on our data protection website www.telekom.com/en/corporate-responsibility/, where we now provide up-to-date and important information about new developments related to data protection and secure handling of personal data.
Since 2014, we have also been publishing an annual transparency report. In the report we disclose our obligations to cooperate with German and international security agencies. The section on protecting consumers and minors elaborates on how we ensure the safety of our products and services.
Regular employee training courses
Telecommunications companies are obliged to provide new employees with information on data privacy regulations. We go above and beyond these legal requirements. Every two years, we train all of our employees in Germany and commit them to data privacy and telecommunications secrecy. Corresponding requirements for our national companies are in place. We have also introduced specific training in the customer and human resources departments, where the risk of data abuse is higher. This training includes online courses for independent learning, presentations on data privacy and face-to-face courses on specific topics such as data protection at call centers. This helps us make sure that all employees have in-depth understanding of the relevant data privacy policies.
Annual review of measures through audits and certifications
We conduct an annual Group data privacy audit to measure and improve the general data privacy standards throughout the Group. 30 percent of the Group employees, who are randomly selected, are asked to participate in an online survey. The Group data privacy audit is supplemented by self-assessments completed by the data privacy officers at the national companies on implementation of the requirements defined in our "Binding Corporate Rules on Privacy."
Based on the results, the Group Privacy department identifies need for action at the respective departments and requires them to implement improvement measures. To this end, the Global Data Privacy Officer holds personal meetings with the responsible directors, managers and data privacy officers at the different departments. The Group Privacy department supports implementation of the improvement measures by providing information and advice and conducts a follow-up evaluation. Unusual audit results are taken into consideration when planning the follow-up audit.
We also have our processes and management systems as well as products and services certified by external, independent organizations such as TÜV, DEKRA and auditing firms. The technical services company TÜV Nord confirmed once again this year that Deutsche Telekom’s IT systems are secure.
Protecting personal data
Protecting our customers’ data is one of our top priorities. We also provide up-to-date information about all of our data protection activities on our Group website under data protection and data security. The following examples serve as a brief excerpt of our recent activities: The GDPR took effect in May 2016. After a two-year transition period, the regulation has been binding since May 25, 2018.
International cooperation for cyber security
In 2018, we once again promoted data security on an international level. Among other things, we are a founding partner of the Charter of Trust, which was signed at the Munich Security Conference in February. One of its objectives is to establish general minimum standards for cyber security that are aligned with state-of-the-art technology. Together with our partners, we have identified ten action areas which call for more activity in order to ensure cyber security.
Furthermore, in November 2018 we underscored our commitment to security in the digital world by signing the Paris Call for Trust and Security in Cyberspace. We thereby pledge to intensify and actively shape collaboration in support of integrity and security in the digital world.
Commendation for handling of customer data
For the third time, in 2018 we were commended by the independent testing authority TÜV Informationstechnik (TÜViT) for our handling of customer data. TÜViT certified that our processing of customer data, as it relates to billing, for example, is done in a secure and careful manner.
Security on the go
Since November 2017, we have partnered with the company Check Point Software Technologies to offer the Protect Mobile security solution for smartphones to our consumer customers. Protect Mobile provides reliable protection from cyber attacks through a combination of network protection and app on the smartphone – for downloading apps, doing online banking or surfing in the browser. Deutsche Telekom customers can add this option free of charge to their existing mobile phone contract. For the most complete protection, the app is available for Android and iOS from app stores.
Simple data privacy statements for everyone
Data Privacy Notices are often incomprehensible to the layperson. Our one-pager provides our customers with an easy-to-read overview of data privacy at our company. It contains simple, condensed information on the basics behind our data processing activities. It does not replace our formal data privacy statement, to which we link in the document and which complies with legal requirements. Instead, it provides users with transparent information on how and to what extent we process and use personal data. With this one-pager, we have followed an initiative launched by the National IT Summit, supported by the Federal Ministry of Justice and Consumer Protection.
Encryption for all
Together with the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), we launched the “Volksverschlüsselung” encryption solution in 2016. It is a simple, free way to encrypt emails. We operate the solution at a high-security data center. The keys are generated on the user’s device. The user is the only person with access to them; they are not sent to the infrastructure operator. To use the encryption, users only need to install the software and identify themselves as part of a simple one-time process. This product supports the federal government’s digital agenda. What’s more, we fulfill the requirements of the Charter for the Promotion of Trustworthy Communications (“Charta zur Stärkung der vertrauenswürdigen Kommunikation”), which was proposed and signed by representatives from the business and scientific communities as well as by political representatives.
Other examples of our comprehensive data protection and security services:
- At the start of 2018, we published practical data protection tips for our customers on our website. We offered these tips with the aim of helping our customers manage, for example, the requirements of the General Data Protection Regulation (GDPR).
- Information on cyber criminals, malware and phishing is distributed over thousands of websites on the internet. The www.sicherdigital.de website brings this information together, providing users with easy access to security issues. Young people, adults and businesses can find useful information and specific tips concerning security and data protection.
- The “Confidential” issue of our We Care magazine talks about how dangerous hacker attacks can be and how users can protect themselves. In the issue Inkognito we discuss how to protect one’s privacy without becoming a digital outsider.
- Users can track cyber attacks on our website in real time using our security dashboard. We show the countries where the cyber attacks are coming from on a map. For more information on this, go to www.sicherheitstacho.eu.
- Our Netzgeschichten (Network Stories) also discuss issues regarding protection of minors and consumers. You can watch all of our videos on YouTube: https://www.youtube.com/user/deutschetelekom
Protecting ourselves and our customers
In line with our Group strategy, we promote our business with security products and services throughout Europe. In 2016 we united all security-related departments Group-wide under one roof, thereby expanding our abilities to detect cyber attacks early on and also to quickly introduce countermeasures. Our Telekom Security unit focuses on internal security issues and develops security solutions for consumers as well as business customers. This approach enables us to provide our customers even more efficiently with the perfect security solutions along the entire value chain, from product development to applications through to secure, high-performance networks and high-security data centers.
We are always working to develop new ways to defend against attacks. We launched a Cyber Emergency Response Team (CERT) in the mid-1990s, which is responsible internationally for managing security incidents for our information and network technologies. Since then, we have continued to expand our activities in relation to cyber defense, information on attacks, and information sharing. In 2017, we opened a new Cyber Defense Center with integrated Security Operation Center (SOC) in Bonn. There we analyze behavioral patterns on the internet and draw up defense strategies. This new defense center is one of the largest and most advanced ones of its kind in Europe, analyzing 2.5 billion pieces of security-relevant data from 3,300 data sources every day. What’s more, the cyber defense center processes about 200 requests, filters about 5,000 viruses and malware programs, and scans about 100 million incoming emails for spam every day. This is how we protect our infrastructure, and hence also our customers’ data. Some 200 security experts work round the clock at the new SOC in Bonn and its affiliated national and international locations.
The measures that we undertake to fight cyber attacks on our own infrastructure are also available to other companies. More than 30 German DAX companies and SMEs employ our services for their own protection.
New dangers require new solutions
Technological innovations can bring new dangers. That is why we develop targeted measures for combating potential new security risks – such as those associated with drones, for example. We developed the Magenta Drone Shield together with our partner Dedrone.
Collaborating in the name of security
Cyber security is a communal task. In order to further improve collaboration in the area of digital defense, we regularly host the Cyber Security Summit in collaboration with the Munich Security Conference. The last summit was held in May 2018. We also organized the Magenta Security Congress in 2018 for the third time.
In addition, we collaborate with research institutes, industry partners, initiatives, standardization committees, public institutions, and other internet service providers on a global scale. Together, we want to fight cybercrime and improve online security. We collaborate, for example, with the German Federal Office for Information Security (BSI) throughout Germany and with the European Union Agency for Network and Information Security (ENISA) at a European level.
We also provide up-to-date information about all of our data protection activities on our Group website under data protection and data security.