Responsible use of data
Connectivity and digitalization will play a crucial role in future mobility – whether it involves automated and autonomous driving, driving assistance systems, vehicle safety, or new services. Many new business models are based on the availability of large amounts of data. The responsible handling and protection of such data is a top priority at Daimler.
More data, more opportunities, more challenges
Many of our customers already take advantage of the benefits offered by connected services such as live traffic information. The use of data for automobile manufacturers is also relevant elsewhere: For example, networked production systems make processes more efficient, while digital product planning helps conserve resources. Customers also benefit from data-based sales and service solutions. It’s clear that connectivity, digitalization, and the ability to process large amounts of data will become increasingly important for mobility in the future.
The availability of data doesn’t only create new business opportunities; it also leads to an obligation for companies to take special precautions when collecting and processing data. Data is a sensitive commodity and therefore worthy of the protection offered by a strict regulatory framework. The regulatory requirements related to data protection in particular have become much more stringent in recent years. For example, the implementation of the European Union’s General Data Protection Regulation (GDPR) has resulted in additional requirements that companies are obligated to meet when they handle personal data. The general public is also now more aware of the risks associated with the collection of personal data, so the responsible use of data has now become crucial in terms of a company’s ability to compete on the market.
The GDPR is not the only challenge facing companies that operate on an international scale. After all, concerns about data protection aren’t limited to Europe, and a trend toward more extensive data protection legislation can now be clearly observed around the world. Aside from the legal framework, different societies also have different expectations with regard to data protection.
How we assume our data responsibility
Data responsibility involves more than just data protection. Daimler therefore employs a holistic approach to ensure that it meets its corporate digital responsibility obligations. Along with compliance with relevant laws and regulations, this also involves cultural and organizational aspects that we refer to as “Data Governance”. The main objectives of our holistic approach to Data Governance are to sustainably design data-based business models and ensure the responsible handling of data in the interests of our customers, employees, and other stakeholders. Various measures need to be taken in order to achieve these objectives. Such measures involve everything from employee training to the introduction of a new management approach and the extensive provision of information to our customers. The Group-wide Data Governance System consists of our Data Vision Guiding Principles, our Data Culture, our Data Governance Structure, and our Data Compliance Management System.
The Daimler Data Vision
The Daimler Data Vision describes our commitment to the sustainable and responsible handling of data. It provides all Daimler AG employees with a clear frame of reference for activities regarding data. The data vision has great practical relevance and helps strengthen the trust of our employees and customers. It also offers employees a framework within which they can develop new business models.
Ensuring effective data protection and data security in vehicles is an integral component of our product development. Even at the very start of the development process for new vehicles, features, and digital business models, our employees make sure that these systems promote and ensure data protection. The digital transformation and the increased connectivity of services are already making it possible for the drivers of many current vehicle models today to enjoy technical conveniences such as live traffic information and the Active Stop-and-Go Assist system. What these and many other applications have in common is the fact that they all rely on the processing of data. The data-protection-friendly design of connected vehicles, automated driving functions, and new services and applications is therefore a focus of our product-related data protection activities in line with the “privacy by design” concept. When applying our data protection guiding principles, we take into account both market-specific and regional differences such as the different expectations of our customers regarding the protection of their data. We have made our data vision known throughout the Group and also included it in the new version of our Integrity Code.
Each division is responsible for its own implementation of our strategic data protection goals. That is why each division at the Daimler Group has launched its own program for the creation of specific processes and systems that ensure the responsible use of data.
Establishing a Data Culture
Effective data governance requires the existence of an appropriate data culture at a company, just as new digital business models require new ways of thinking.
In order to promote our data culture, we have developed new communication formats that incorporate various methods, instruments, and application examples. One example of that is our “Data Lectures,” which are held regularly at individual units throughout the Group. The lectures feature experts from specialist departments who report on their projects and experiences. With measures like these we show our employees the importance of data for our company and also make them aware of the need to handle data responsibly, not just in their own unit but also throughout the Group.
Our Data Governance Structure
The Group-wide data governance system was developed at the Board of Management’s Integrity and Legal Affairs division. For the implementation of data governance, Daimler has decided to establish Data and Analytics Boards for each division and has already established most of them. The Data and Analytics Boards are used by relevant specialist departments to coordinate their data analysis projects. Employees at Integrity and Legal Affairs accompany the projects from the beginning in order to ensure that they are conducted in compliance with all relevant laws and regulations.
We have also set up a Data Governance Committee at the Group level. This committee defines guidelines for core Group-wide issues related to data management, information security, data protection, and data compliance and makes business policy decisions on the way the company handles data.
The Daimler Data Compliance Management System
Within the framework of the implementation of the European Union’s General Data Protection Regulation (GDPR), we have consolidated all existing data protection measures, processes, and systems throughout the Group into a single Data Compliance Management System. This system is based on the Daimler Compliance Management System.
Our Data Compliance Management System supports our systematic planning, implementation, and continuous monitoring of measures to ensure compliance with the data protection requirements. In the first step, the Data Compliance Management System is focusing on data protection law. For our Group companies in the EU, the GDPR is particularly relevant; for our Group companies outside the EU, the relevant local data protection laws apply. Additional areas of the law that are relevant to data use are being gradually incorporated into this system in order to identify and address possible risks.
Implementing GDPR provisions
In order to implement the GDPR, the Corporate Data Protection unit analyzed the requirements and used this analysis to design practical guidelines for complying with them. These guidelines are now specific binding measures in our Data Compliance Program, which means their implementation is mandatory for all Group companies that are subject to the GDPR. The measures stipulated here comprise processes, IT solutions, and document templates for various areas.
Anchoring Data Protection and Data Compliance in our organization
For the establishment of the Data Compliance Management System we have created a new Data Compliance unit within the compliance organization. This unit defines the individual elements of the Data Compliance Management System and controls their implementation throughout the Group. The tasks of the unit also include carrying out the annual Data Compliance Risk Assessment, establishing the Data Compliance Program, and managing data compliance monitoring and reporting processes. In addition, it conducts numerous communication and training measures and offers certain data protection consulting services. The Chief Compliance Officer reports on data compliance developments to the Board of Management member for Integrity and Legal Affairs on a regular basis and also submits quarterly reports to the Board of Management as a whole.
At the same time, the Chief Officer Corporate Data Protection performs the tasks required by law to ensure compliance with data protection rules. Together with his team, he monitors compliance with data protection laws and the Daimler Data Protection Policy. His tasks also include handling complaints regarding data protection and communicating with regulatory authorities. In addition, the Chief Officer Corporate Data Protection initiates communication and training measures and provides consultation. He informs and advises the responsibles and specialist units, particularly with regard to data protection impact assessments. The Chief Officer Corporate Data Protection is independent and reports directly to the Board of Management member for Integrity and Legal Affairs.
Our approach to the effective management of data protection also relies on local contact persons at our numerous sites and facilities around the world. We are currently realigning the existing network of local Data Protection Coordinators and merging it into our global compliance network. We specifically prepare Local Compliance Officers and Local Compliance Managers for their new tasks and support them with training courses and consultation. We chose to use a two-stage risk-based approach for the realignment of the network. The first stage of this approach, which has already been completed, addressed all units at the Group with a high risk classification, as well as those units that have been issued a medium risk classification (as determined by the Data Compliance Risk Assessment) and that are subject to the GDPR. The second stage affects all other units with a medium risk classification and all units with a low risk classification. The second stage is scheduled to be completed by the end of 2020.
Guidelines for the responsible use of data
Data Protection Policy EU
Our Corporate Data Protection Policy, which was still valid in 2019, was revised in the reporting year, after which the new version was released in January 2020. This policy creates Group-wide standards for handling the personal data of employees, customers, and business partners. Our new Data Protection Policy EU takes into account the special regulatory environment in Daimler’s core European market. Using the GDPR as a basis, the policy establishes adequate and uniform standards for the processing of personal data. This Group-wide policy also includes binding corporate rules for Group companies that are located outside the area subject to the GDPR but which nevertheless, through cross-border data transfer, process personal data to which the GDPR applies. Our Data Protection Policy EU has been submitted to regulatory authorities for approval as binding corporate rules as defined by the GDPR.
Global Data and Information Policy
Our new Global Data and Information Policy forms the foundation for the responsible, legally compliant, and ethical handling of information and data. It creates transparency with regard to tasks, responsibilities, and roles in a data- and information-based environment. To this end, it defines the goals, principles, organizational structures, and measures that are needed to establish the corresponding processes. The policy also includes global standards for data compliance that are designed to ensure that a uniform level of data protection exists worldwide throughout the Daimler Group. This level of data protection represents a minimum standard that is supplemented by the provisions of the Data Protection Policy EU. Together, local data protection laws and the Group-wide Data Compliance Management System create the framework for legally compliant and sustainable data handling.
Addressing data-related risks
A key component of the Data Compliance Management System is the Data Compliance Risk Assessment, which is a systematic process conducted by the Data Compliance unit each year in order to identify, analyze, and evaluate data compliance risks at Daimler. The assessment is performed for both Group companies and central units. The results of the analyses form the basis of our risk management and risk minimization activities. The analyses enable us to adopt a risk-based approach for the further development of our Data Compliance Management System.
The assessments are based on centrally compiled information on all entities at the Group; specific additional details are taken into account in line with the given risk evaluation. First, the Data Compliance unit conducts a preliminary assessment on the basis of internal and external information. This includes, for example, an examination of the data processing within the scope of business activities and an analysis of the regulatory environment in the country in which the given Group unit is located. The unit uses these indicators to determine whether the Group unit in question is exposed to particular risks and therefore needs to be looked at more closely. If no particular risks are identified, a risk classification is issued immediately. The unit also makes use of information from the Divisional/Regional Compliance Officer’s network before issuing its final risk classification. The Chief Compliance Officer and the Divisional/Regional Compliance Officer’s network confirm the results of the annual Data Compliance Risk Assessment and report these results to the Board of Management and the Supervisory Board of Daimler AG, as well as to the same boards at the new divisional companies.
Comprehensive data protection training
Every employee with e-mail access who works at a Group company is required to participate once every three years in the web-based “Integrity@Work” training program, which also covers data protection topics. We also offer voluntary training modules for employees who wish to learn more about data protection and the GDPR. GDPR training courses are mandatory for certain managers. In addition, local management at a Group unit can require employees to complete such courses. Thanks to our IT-supported Learning Management System, all training measures are available around the globe.
Along with web-based training, employees who work in areas where data protection is especially relevant – for example in human resources departments or at sales or development units – can also take part in training courses offered by the central compliance organization. Local management is responsible for organizing such participation.
The onboarding process for new managing directors and CEOs at Group companies also includes an overview of Daimler’s Data Compliance Management System. All managers can also conduct their own independent study program using the data protection sections in the Corporate Governance Navigator on the Group intranet.
In Group units with a high data protection-related risk, we prepare annual training plans and document participation.
The local data compliance organization plays a key role in terms of compliance consultation and the implementation and monitoring of compliance measures. As a result, Daimler strongly emphasizes training measures and ongoing qualification for this target group.
In addition to the aforementioned measures, Local Compliance Officers and Local Compliance Managers at Group units with a medium or high data protection risk classification also take part in an interactive data compliance qualification program that runs for several days. This classroom program provides participants with basic information about the provisions of data protection laws and regulations and offers practical tips and advice for the respective tasks. Local Compliance Officers and Local Compliance Managers at Group units with a low data protection risk classification take part in a video-based training program with the same type of content.
The Daimler Group has established a central around-the-clock reporting system for all incidents involving information security: the Information Security Incident Management Process. Employees are instructed to report all potential data protection violations internally via this system. Incidents related to data protection that occur at units subject to the provisions of the GDPR are addressed by the Corporate Data Protection unit, which is assisted in its investigations by local Incident Supports. The Corporate Data Protection unit then issues a recommendation to the local management team as to whether supervisory authorities should be informed of the incident and whether the data subjects should be notified within the period stipulated by law. Local Incident Supports handle incidents related to data protection that occur at units that are not subject to the GDPR. Together with the local management teams, the Incident Support decides whether supervisory authorities should be informed of an incident and whether the data subjects need to be notified as well. The Corporate Data Protection unit can be involved for support at any time. The results of all investigations have to be submitted to the Corporate Data Protection unit for documentation purposes.
No incidents reported in 2019 involved data theft or data loss.
Along with its Information Security Incident Management Process, Daimler also has in place for all compliance issues a whistleblower process that employs a fair and adequate approach to investigate reports on incidents that pose a high risk to the company and its employees. The Data Compliance unit teaches all Local Compliance Officers and Local Compliance Managers how to address complaints. These courses provide information on local data protection provisions and the requirements defined in the GDPR.
The contact details of the Chief Oﬃcer Corporate Data Protection are publicly available, and customers can direct any questions or concerns regarding data protection to him and his team. Daimler has also provided extensive information on data protection to its customers within the framework of its “Project Future” program. As a result of the provision of this information, and the fact that awareness of the importance of data protection remains high, the number of inquiries received about data protection issues increased in the year under review. In eight cases, data protection authorities conducted investigations in response to customer complaints. However, no measures were taken against the company as a result of any of these investigations.
How we assess the effectiveness of our management approach
The Data Compliance Management System is still in the process of implementation. The most recent annual internal effectiveness evaluation of the Daimler Compliance Management System was conducted at the end of 2019. We evaluate and document the implementation of all stipulated measures within the framework of a monitoring and reporting process. In this way, our compliance organization conducts an annual evaluation to assess the adequacy and effectiveness of the Compliance Management System. Our compliance reporting system documents any areas where action needs to be taken, and we also monitor implementation of the associated measures. If necessary, the compliance organization will make adjustments in line with the knowledge gained from the evaluation, while also taking into account changed risks and new legal requirements.