Amit Pradhan, CISO, on Data Privacy at Vodafone

      Comments Off on Amit Pradhan, CISO, on Data Privacy at Vodafone

Amit Pradhan - 1

As Vodafone, celebrated the ‘Vodafone Privacy Month’, we interviewed Amit Pradhan, CISO & VP – Technology Security, Vodafone India Ltd, to share with us on how Privacy is a key component of it’s varied products and services.

Q1. What have been the privacy milestones in the past year for Vodafone India?

‘Privacy by Design’ methodology and ‘Awareness of Privacy’ are key focus areas for Vodafone. Privacy is a key component in the design, development and delivery of our products and services. We aim to ensure that the processes/systems capture only required personal information elements, take the consent appropriately, implement appropriate technical security controls are implemented and that the teams define storage and retention policies as per regulatory/business requirement.

Our comprehensive privacy programme provides us with a framework to help us live up to our privacy commitments in our day-to-day operations while ensuring that we stay ahead of new privacy concerns and risks as they emerge and, of course the legal and regulatory requirements.

On an annual basis, our privacy team updates the Vodafone Privacy Framework, Induction deck, awareness material for call centers/retail and ensure that all our employees complete the eLearning module.  Continuing a strong drive towards awareness, Vodafone set out series of eLearning courses for employees- Privacy Basics, Privacy-by-Design and Privacy and Human Rights.

In addition to this, Privacy Impact Assessment is performed for all applications/functions processing personal information by the privacy team. The key outcome of this analysis are implementation of technical controls (encryption, logging, classification etc), review of reports/database having personal information, re-validating role base access to systems, review of storage and retention policies etc.

In the year 2014, Vodafone India became the first telecom company to obtain DSCI Privacy Certification for its Delhi circle. The DSCI Privacy Framework (DPF©) focuses on building a tactical approach to enhance the privacy culture of the organization so that the changing threat and regulatory landscape can be addressed effectively and efficiently.

Q2. Is ‘Data Privacy’ considered as a brand differentiator at Vodafone India? How has Vodafone been able to practice it to add value to its brand?

Customers entrust us with their privacy – whether it’s the protection of their personal information or the confidentiality of their private communications. The way we handle privacy is a vital part of our responsibility to customers and how we earn their trust. The success of our business depends upon our customers being confident that we will respect their privacy.

Vodafone has set out commitment to privacy and security at the highest level in Code of Conduct, which all Vodafone employees are bound by. Our Privacy Commitments, which are part of our Code of Conduct, set out the principles that govern our approach to privacy.

These Privacy Commitments encapsulate three key elements of building customer trust:

  • Transparency: Being more open about what we do
  • Empowerment: Using our technology to empower our customers and give them control over their personal information
  • Reassurance: Making sure that we do what we promise to and that we are doing what’s right

Q3. How does the board, senior management and leaders understand and consider the concept and importance of data privacy?

Privacy at Vodafone is considered as a brand differentiator as well as a risk. Data privacy is identified as one of the top 5 risks by Executive Committee of Vodafone and is treated effectively. Vodafone India privacy program is reviewed frequently by senior management which involves briefing on the privacy program, milestones achieved and take valuable feedback on the program. In addition to this, the team reports major achievements, changes in regulatory environment and incidents to the leadership team.

As a regular practices, Vodafone reviews its Privacy Policy on an annual basis and the leadership is briefed on the policy/changes. In addition to this, PIMS (Privacy Impact Management System) framework is updated to incorporate the changes in the legal, regulatory and ecosystem.

In addition to this, a ‘Privacy Council’ has been formulated wherein privacy matters are discussed on a quarterly basis. The members of the Council are key stakeholders from Technology, Legal, Regulatory domains and key business functions such as Finance, Marketing, Retail, Customer Service etc.

Q4. How does Vodafone India address the privacy demand of its consumers (if any) and increase the data privacy awareness among its consumers?

Our website provides explicit details about our privacy policies and how we ensure data privacy of our customers.  The Vodafone Customer Service Team undertakes periodic sessions for subscribers at circles. We have included tips on Mobile Security and general privacy and security tips, like protecting phone devices with PIN, practicing caution before sharing any personal information etc., as part of the awareness module.

Vodafone customers can register their privacy related queries / complaints by sending an e-mail to privacyofficer@vodafone.com and the issues are addressed on an immediate basis and resolution is confirmed to the customers.

Vodafone focuses on innovation and continual improvement in the privacy program by taking inputs from internal as well as external stakeholders. Vodafone incorporates “Privacy by Design” as its philosophy to protect data privacy. Respect for privacy is a key component in the design, development and delivery of our products and services.

 Q5. Does the organization’s strategy comply with all the requirements that the law can ask for?

Vodafone India Privacy policy aligns to the requirements stated in the Information Technology (Amendment) Act, 2008  and also various national / international standards such as BS 10012, GAPP (Generally Accepted Privacy Principles) and DSCI Privacy Framework. Sensitive Personal Data or Information (as outlined in rules notified under Section 43A of IT (Amendment) Act, 2008) collected and processed by Vodafone India is identified, inventoried and privacy controls are implemented accordingly. Vodafone India ensures compliance to DSCI Privacy Framework (DPF©) and BS10012 privacy requirements by getting periodic review by external auditor.

Q6. In the recent consultation paper by TRAI on Out-Of-The (OTT) players’ regulation, certain concerns were raised on data privacy of consumers’ information while using Internet apps and services. In the current state of technological  advancement,, how will data privacy be ascertained, given that privacy and business opportunities, in certain cases, can be negatively linked goals?  

Vodafone recognized this as a legitimate concern a few months ago, and as a result led the work of the  Groupe Speciale Mobile Association (GSMA), to develop privacy guidelines for mobile app developers – those guidelines can be found here. Vodafone is committed to working with app developers that comply with these guidelines.

In all cases, as a business practice and as per the laws of the land, Vodafone ensures privacy of customers’ sensitive data.

Q7. Given your experience in Telecom, Banking & eCommerce segments, how critically do you think has the data privacy function emerged within these industry segments?

 Keeping the importance of data privacy in mind, DSCI has been established by NASSCOM in 2008 as a focal body for data protection in India. DSCI has created platforms for discussions on data protection matters so that professionals remain abreast with the latest developments. A lot of companies have got their employees certified on DSCI Privacy Lead Assessor Certification (DCPLA©) to make employees aware about privacy requirements stated in IT Act, key responsibilities of privacy function and privacy good practices. Privacy dialogue has been initiated within the industry through various forums like DSCI chapter meetings and is an emerging trend. The telecom sector is understanding the need to protect personal information as this holds immense value when used for analytics/market analysis etc.

Q8. On the occasion, what would be Vodafone’s message to the industry?

The explosive growth in the quantity and quality of personal data has created a significant opportunity to generate new forms of economic and social value. Further, digital nature of personal data means it can be distributed globally. The organizations should focus on proactive engineering activities to build privacy into their products from the onset. In addition to following ‘Privacy by Design’ methodology, regular reviews/audits should be conducted according to global framework like GAPP/BS10012 to ascertain personal information is safeguarded and secured at all times. The organizations should ensure all staff are mandatorily trained on ‘Privacy basics’ and there are awareness campaigns around the year to inculcate privacy culture.