| INTEGRATED REPORT 2019 |
Maintaining data privacy and cybersecurity
In recent years, there has been increasing public awareness of privacy issues and greater scrutiny by stakeholders of how companies approach data privacy. Global data protection laws have become more prevalent and rigorously enforced.
Even before the EU General Data Protection Regulation (GDPR) became effective in May 2018, PMI had developed, and maintains, its Global Privacy Program (GPP) to establish new global standards for data privacy across our markets and functions. The GPP was developed and deployed using an internationally recognized privacy management system. The program is designed to support PMI functions and affiliates within the EU to achieve and demonstrate GDPR compliance and to embed policies and practices that facilitate data privacy compliance.
Outside the EU, the GPP sets the GDPR as PMI’s global standard where this is consistent with local law and practices, ensuring that the whole PMI organization is aligned to a high standard of privacy practice. Core to GPP is balancing central governance for data privacy with local responsibility in markets and functions to execute the program. Our External Affairs and Information Security and Data Privacy groups have come together to run a central privacy office with reporting twice per year to the Corporate Risk Governance Committee. The GPP mandates practices in areas of privacy governance and accountability, such as the principle of transparency, the management of third-party risks, data privacy impact assessments, awareness and training, privacy compliance assessments, personal data inventories, and data subject rights.
We use information systems to help manage business processes, collect and interpret data and communicate internally and externally with employees, suppliers, consumers, customers and others. We have backup systems and business continuity plans in place, and we take care to protect our systems and data from unauthorized access. Nevertheless, failure of our systems to function as intended, or penetration of our systems by outside parties’ intent on extracting or corrupting information or otherwise disrupting business processes, could place us at a competitive disadvantage, and cause damage to our reputation and that of our brands. Our ability to protect personal data, respect the rights of data subjects, and adhere to strict cybersecurity protocols is essential, as we are increasingly relying on digital platforms in our business.
This online supplement to our integrated report should be read in conjunction with PMI’s Integrated Report 2019. The information and data presented in this online supplement cover the 2019 calendar year or reflect status at December 31, 2019, worldwide, unless otherwise indicated. Where not specified, data come from PMI estimates. See About this online supplement for more information. Aspirational targets and goals do not constitute financial projections, and achievement of future results is subject to risks, uncertainties and inaccurate assumptions, as outlined in our forward-looking and cautionary statements.
