Data privacy and cybersecurity

Global data protection laws have become more prevalent and rigorously enforced. Even before the EU General Data Protection Regulation (GDPR) became effective in May 2018, PMI had developed, and maintains, its global privacy program (GPP) to establish new global standards for data privacy across our markets and functions. The program was developed and deployed using an internationally recognized privacy management system.

It addresses the systems PMI has in place to handle all types of personal data handled by PMI affiliates (for example, consumer data, employee data, candidate data, business partner and other stakeholder data, trader data, and data of visitors to PMI’s corporate websites). The program is designed to support PMI functions and affiliates within the European Economic Area to achieve and demonstrate GDPR compliance and to embed policies and practices that facilitate data privacy compliance.

Outside of the European Economic Area, PMI sets the GDPR as its global standard where this is consistent with local law and practices, ensuring that the whole PMI organization is aligned with a high standard of privacy practice. Core to the GPP is balancing the central setting of data privacy standards with the responsibility for compliance sitting with the markets and functions that operate the business.

Our Law department, and Information Security and Data Privacy group, together run a central privacy office, reporting twice a year to PMI’s Corporate Risk Governance Committee. Part of the GPP is PMI’s policy on data privacy, which mandates practices in areas of privacy governance and accountability, such as the principle of transparency, the management of third-party risks, data privacy impact assessments, awareness and training, privacy compliance assessments, personal data inventories, and data subject rights.

We use information systems to help manage business processes, collect and interpret data, and communicate internally and externally with employees, suppliers, consumers, customers, and others. Some of these information systems are managed by third-party service providers. We have backup systems and business continuity plans in place, and we work with our internal specialists and these third-party service providers to protect these systems and data from unauthorized access.

Nevertheless, failure of these systems to function as intended, or penetration of these systems by outside parties intent on extracting or corrupting information or otherwise disrupting business processes, could place us at a competitive disadvantage, result in a loss of revenue, assets, or personal or other sensitive data, litigation and regulatory action, cause damage to our reputation and that of our brands, and result in significant remediation and other costs. Failure to protect personal data, respect the rights of data subjects, and adhere to strict data governance and cybersecurity protocols could subject us to substantial fines and other legal challenges under regulations such as the GDPR. As we are increasingly relying on digital platforms in our business, and as privacy laws in the jurisdictions in which we do business become more stringent, the magnitude of these risks is likely to increase.