GDPR and E-privacy - Mitigating the Risks for MNOs
2018.05.02   |   34 pages   |   Revenue Continuity

Author:
Robert Harrison


LinkedIn

Share:

Sign up to receive our latest insights and reports

Sign up

The introduction of GDPR and the EU e-privacy regulations on May 25 places much more stringent requirements on organisations to ensure that an EU customer’s data is only used for purposes agreed to by that customer and is held securely.  This applies to both the organisation providing goods or services to a customer and any others, whether located in the EU or not, that it has contracted to handle that data.  The penalties for failing to meet these requirements can be very severe.

Most mobile operators have many millions of customers and hold extensive data on them, including personal and financial information, their contacts and patterns of behaviour, meaning that any breach could affect very large numbers of people.  The nature of their operations means that this data is frequently held on a number of different databases, which often include a variety of systems, increasing the risks of a breach and also making them vulnerable to attack by criminal elements.  

It is important that MNOs ensure full compliance with the spirit as well as the letter of the GDPR in order to minimise the risk of default and consequent penalties.  They also need be sure that they have taken all feasible actions to mitigate the risks involved. 

  • Even operators with no footprint within the EU will almost certainly possess data concerning EU residents, as they roam to other markets for example. Arguably, these operators could come within the remit of the GDPR.

This report looks at the experiences of operators that have suffered a major breach and examples of preparation for GDPR and assesses the likely readiness of the industry.  It reviews the approaches being taken by a number of national data protection authorities in order to understand the likelihood of severe penalties being imposed in the early days of the regulations and the types of actions that will mitigate risk and the size of penalties.

 

Companies: TalkTalk, Orange (Belgium), Telenor, Telia, A1, Wind Tre, CNIL, BfDI, ICO, CPDO, GPDP, AP,

Countries: Global, EU, Austria Belgium, Czech Republic, France, Germany, Ireland, Italy, Netherlands, US, UK, Denmark, Estonia, Hungary,, Malta, Lithuania, Luxembourg, Latvia, Poland, Sweden, Slovenia,

Keywords: BSS, NDPA, National Data Protection Authority, Data Protection Officer, DPIA, consent, fines, IT, DPO, right to be forgottten, privacy, deletion, data subject, erasure, DSAR, e-privacy, EU citizen, personal information, penalty, Data Protection Impact Assessments, personal data, retention of data, breach, OSS, right to portability, GDPR, profiling,

1

Overview

1

2

Introduction

2

2.1

Background to the Report

2

2.2

Report Content

3

2.3

Currency and Conversions

3

2.4

Further Questions and Feedback

4

3

What GDPR & E-Privacy Means for MNOs

5

3.1

Introduction

5

3.2

Rationale & Principles Underlying GDPR & E-privacy.

5

3.3

The requirements of GDPR & E-privacy

6

3.3.1

GDPR

6

3.3.2

International Scope of GDPR

8

3.3.3

E-privacy

10

4

Regulators’ Approach

11

4.1

Introduction

11

4.2

General Guidance

11

4.3

France, CNIL

14

4.4

Germany, BfDI

14

4.5

Czech Republic, CDPO

15

4.6

Italy - GPDP

15

4.7

Netherlands - AP

15

4.8

UK - ICO

16

5

Operator Experience and Good Practice

17

5.1

Overview

17

5.2

Data Breach and Recovery - TalkTalk’s Experience

17

5.2.1

Background

17

5.2.2

The Security Breaches

18

5.2.3

The Penalties

18

5.2.4

Impact on Business

19

5.2.5

The IT Recovery – Remedial Action and Preparation for GDPR

19

5.3

Achieving Compliance - An EU Operator’s Approach

21

5.3.1

Policies

22

5.3.2

The Customer

23

5.3.3

IT and Security

23

5.3.4

Third Parties

25

5.3.5

Incentives and Measurement - Departmental Status

25

5.4

Good Practice for Customers - Orange Belgium

25

5.5

Telenor Group

27

5.6

Telia

27

6

Findings and Conclusions

29

6.1

Summary

29

6.2

Implications for MNOs

29

6.3

Approach of NDPAs

30

6.4

Conclusions

31

7

Recommendations

33

 

Appendix – Feedback Questions

35

Our Clients

The EXEC strategy workshops run by MMD were the best I have seen CEO MTN Nigeria
Mobile Market Development 2015