Data privacy and cybersecurity

18 May 2021
In recent years, there has been increasing public awareness of privacy issues and greater scrutiny by stakeholders of how companies approach data privacy.

Global data protection laws have become more prevalent and rigorously enforced. Even before the EU General Data Protection Regulation (GDPR) became effective in May 2018, PMI had developed, and maintains, its global privacy program (GPP) to establish new global standards for data privacy across our markets and functions. The program was developed and deployed using an internationally recognized privacy management system.

It addresses the systems PMI has in place to handle all types of personal data handled by PMI affiliates (for example, consumer data, employee data, candidate data, business partner and other stakeholder data, trader data, and data of visitors to PMI’s corporate websites). The program is designed to support PMI functions and affiliates within the European Economic Area to achieve and demonstrate GDPR compliance and to embed policies and practices that facilitate data privacy compliance.

Data privacy and cybersecurity is a tier 2 topic within our strategic pillar Operating with excellence.


Outside of the European Economic Area, PMI sets the GDPR as its global standard where this is consistent with local law and practices, ensuring that the whole PMI organization is aligned with a high standard of privacy practice. Core to the GPP is balancing the central setting of data privacy standards with the responsibility for compliance sitting with the markets and functions that operate the business.

Our Law department, and Information Security and Data Privacy group, together run a central privacy office, reporting twice a year to PMI’s Corporate Risk Governance Committee. Part of the GPP is PMI’s policy on data privacy, which mandates practices in areas of privacy governance and accountability, such as the principle of transparency, the management of third-party risks, data privacy impact assessments, awareness and training, privacy compliance assessments, personal data inventories, and data subject rights.

We use information systems to help manage business processes, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers, customers, and others. Some of these information systems are managed by third-party service providers. We have backup systems and business continuity plans in place, and we work with our internal specialists and these third-party service providers to protect these systems and data from unauthorized access.

Nevertheless, failure of these systems to function as intended, or penetration of these systems by outside parties intent on extracting or corrupting information or otherwise disrupting business processes, could place us at a competitive disadvantage, result in a loss of revenue, assets, or personal or other sensitive data, litigation and regulatory action, cause damage to our reputation and that of our brands, and result in significant remediation and other costs. Failure to protect personal data, respect the rights of data subjects, and adhere to strict data governance and cybersecurity protocols could subject us to substantial fines and other legal challenges under regulations such as the GDPR. As we are increasingly relying on digital platforms in our business, and as privacy laws in the jurisdictions in which we do business become more stringent, the magnitude of these risks is likely to increase.

This online content about our Integrated Report should be read in conjunction with PMI’s 2020 Integrated Report. The information and data presented here cover the 2020 calendar year or reflect status at December 31, 2020, worldwide, unless otherwise indicated. Where not specified, data come from PMI estimates. Please also refer to 'About this report' on page 3 of the 2020 Integrated Report for more information. Aspirational targets and goals do not constitute financial projections, and achievement of future results is subject to risks, uncertainties and inaccurate assumptions, as outlined in our forward-looking and cautionary statements on page 145. In the 2020 Integrated Report and in related communications, the terms “materiality,” “material,” and similar terms, when used in the context of economic, environmental, and social topics, are defined in the referenced sustainability standards and are not meant to correspond to the concept of materiality under the U.S. securities laws and/or disclosures required by the U.S. Securities and Exchange Commission.

Share this article