More data results in more opportunities and more challenges
The coronavirus crisis has shown us that digital solutions can make our lives much easier. Connectivity, digitalization, and the ability to process large amounts of data will provide huge benefits for mobility in the future as well. Many of our customers already take advantage of live traffic information and other data-based services. In production, greater connectivity makes processes more efficient while digital product planning helps conserve resources. Data-based products also benefit our customers when it comes to sales and service.
However, while data opens up new business opportunities, its use also requires great care. Data is a sensitive commodity that is worthy of the protection offered by a strict legislative framework. The regulatory requirements relating to data protection in particular have become much more stringent in recent years. For example, the implementation of the European Union’s General Data Protection Regulation (GDPR) has resulted in additional requirements that companies are obligated to meet when they handle personal data. The general public is also now more aware of this issue, so the responsible handling of data has become crucial in terms of a company’s ability to compete on the market.
However, the GDPR is not the only challenge facing companies that operate on an international scale. After all, concerns about data protection are not limited to Europe, and throughout the world many countries in which the Daimler Group operates have tightened their national data protection laws. Moreover, different societies also have different expectations with regard to data protection.
How we assume data responsibility
Data responsibility involves more than just data protection. Daimler is taking on this responsibility by pursuing a holistic data governance approach that covers not only legal but also cultural and organizational aspects. The key aims are the sustainable design of data-based business models and the responsible handling of data in the interests of our customers, employees, and other stakeholders. In order to achieve these goals, we have taken a number of measures, for example, employee training or the provision of in-depth information to our customers. We have also established a Group-wide Data Governance System that consists of our Group-wide Data Governance Structure, our data vision, our data culture, and our Data Compliance Management System.
Our Data Governance Structure is promoting the digital transformation
The Group-wide Data Governance System was developed at the Board of Management’s Integrity and Legal Affairs division. As part of the process for implementing the Data Governance System, Daimler created a Data and Analytics Board for every division in 2019 and 2020. The Data and Analytics Boards are made up of cross-functional teams of managers who perform data-related tasks. These teams meet regularly to promote the digital transformation at the divisions on the basis of the measures prioritized by the Board of Management. All the relevant specialist units coordinate their current data analysis projects within these boards and create the basis for the efficient and responsible use of data. Specialists at the Integrity and Legal Affairs Board of Management division monitor the projects from the beginning in order to help ensure that they are conducted in compliance with all relevant laws.
We have also set up a Data Governance Committee at the Group level. This committee defines policies regarding core company-wide issues relating to data management, information security, data protection, and data compliance and makes business policy decisions on the way in which the company handles data.
Each division is responsible for the operational implementation of our strategic data responsibility goals. Consequently all the divisions at the Daimler Group have launched a corresponding program for the creation of specific processes and systems that ensure the responsible use of data.
Our data vision provides the framework
Daimler’s data vision describes our commitment to the sustainable and responsible handling of data. It provides all Daimler Group employees with a clear frame of reference for the handling of data. We have made our Daimler data vision known throughout the Group and also included it in the current version of our Integrity Code.
For us, ensuring effective data protection and data security in vehicles is an integral component of product development. Even during the design stage of new vehicles and functions and the conception of digital business models, our developers make sure that these systems promote and ensure data protection. Many of the current model series already offer technical conveniences such as live traffic information and active traffic jam assistants that are based on the processing of data. In addition, we are paving the way for more innovations. The data-protection-friendly design of connected vehicles, automated driving functions, and other new services and applications is a focus of our product-related data protection activities in line with the privacy by design concept.
Our Data Compliance Management System ensures that we adhere to regulations
Within the framework of the implementation of the European Union’s General Data Protection Regulation (GDPR), we have consolidated all existing data protection measures, processes, and systems throughout the Group into a single Data Compliance Management System. This system is based on the Daimler Compliance Management System.
Our Data Compliance Management System supports our systematic planning, implementation, and continuous monitoring of measures to ensure compliance with the data protection requirements. It takes into account the existing applicable data-protection regulations. For our Group companies in the EU, the GDPR is particularly relevant; for our Group companies outside the EU, the relevant local data protection laws apply. We incorporate additional areas of the law that are relevant to data use into this system as needed in order to identify and address possible risks.
How we manage data protection and data compliance in our organization
For the establishment of the Data Compliance Management System we have created the Data Compliance unit within the compliance organization. This unit defines the individual elements of the Data Compliance Management System and controls their implementation throughout the Group. The tasks of the unit also include carrying out the annual Data Compliance Risk Assessment and establishing the Data Compliance Program, which includes all of the measures needed for implementing the Data Compliance Management System. Among other things, these measures include compliance with the formal requirements of the GDPR as well as the introduction of a processing list for meeting our documentation obligations. In addition, the unit is responsible for managing Group-wide data compliance monitoring and reporting processes. It also conducts numerous communication and training measures and offers some data protection consulting services.
A key interface for the Group-wide data compliance management is provided by the Chief Compliance Officer, who reports on data compliance developments to the Board of Management member responsible for Integrity and Legal Affairs on a regular basis and also submits quarterly reports to the Board of Management as a whole.
Furthermore, the Chief Officer Corporate Data Protection performs the tasks required by law to ensure compliance with data protection rules. Together with his team, he monitors compliance with data protection laws and the Daimler Data Protection Policies. His tasks also include handling complaints regarding data protection and communicating with the regulatory authorities for data protection. In addition, he initiates communication and training measures and provides consultation. For example, he informs and advises the responsible individuals and specialist units, particularly with regard to data protection impact assessments. He is independent and reports to the Chief Compliance Officer.
Our approach to the effective management of data protection also relies on local contact persons at our numerous sites and facilities around the world. We have appointed a Local Compliance Officer or a Local Compliance Responsible for every Group company and corporate unit. This individual helps the local management implement the data compliance measures. We specifically prepare these local contacts for their new tasks and support them with training courses and consultation.
Our guidelines for the responsible use of data
Data Protection Policy EU: The standard for processing EU-related data
Our revised Data Protection Policy EU uses the GDPR as the basis for defining the standards for handling the EU-related personal data of employees, customers, and business partners. It takes into account the special regulatory environment in Daimler’s core market of Europe. This policy also includes binding corporate rules for Group companies that are located outside the area subject to the GDPR but which nevertheless, as the recipients of cross-border data transfer, process personal data to which the GDPR applies. Our Data Protection Policy EU has been submitted to the responsible supervisory authority in Baden-Württemberg for approval as binding corporate rules as defined by the GDPR.
Our Global Data Protection and Information Policy regulates data compliance worldwide
Our new Global Data and Information Policy forms the foundation for the responsible, legally compliant, and ethical handling of information and data. It creates transparency with regard to responsibilities and roles in a data- and information-based environment. It defines the goals, principles, and organizational structures, and also stipulates the measures that are needed to establish the data compliance processes. The policy also includes global standards for data compliance that are designed to ensure that a uniform level of data protection exists worldwide throughout the Daimler Group. This level of data protection represents a minimum standard that is supplemented by the provisions of the Data Protection Policy EU and the applicable local data protection laws.
AI principles provide orientation for the responsible use of algorithms
Artificial intelligence (AI) is playing an increasingly important role for the future of the automotive industry. As a result, in 2019 Daimler AG became one of the first automobile companies in the world to define and publish a framework for the responsible use of AI. Its cornerstones are the four AI principles: responsible use, explainability, protection of privacy, and safety and reliability. They supplement the principles of our data vision and are an important part of our company’s digital responsibility.
The AI principles are based on our corporate values and have also been incorporated into the Daimler AG Integrity Code. They were developed in a broad-based, cross-unit dialog process. Their aim is to provide our employees with guidance for the development and handling of AI and to continually improve the quality of our products and services in order to increase people’s trust in our company.
We increase people’s awareness of the responsible handling of data within the company
As part of its data-driven transformation, Daimler is promoting the more active use and responsible handling of data. The seven principles of the Daimler data vision provide us with a framework for these activities.
In order to establish our data culture throughout the Group, it is important that all of the employees embrace these principles and put them into practice in their daily work. To this end, we launched extensive information and training measures for all employees in 2020. These include communication measures to sensitize the employees to the seven guiding principles. Practical questions are used to explain the significance of these principles.
Moreover, various online training courses enable our employees to address the topics of data culture and data governance. They are trained in the responsible use and sharing of data and taught how to increase transparency and data quality. In addition, the Data Navigator and the Digipedia provide all employees with two platforms that contain all of the key information as well as numerous data-related learning opportunities.
Every three years, all employees at our controlled Group companies who have e-mail access must complete the Integrity@Work online training course, which also raises their awareness of data protection issues. Furthermore, we offer voluntary training modules for employees who wish to learn more about data protection and the GDPR. However, GDPR training courses are mandatory for certain managers. In addition, local management at every Group unit can require employees to participate in these courses. Thanks to our IT-supported Learning Management System, all training measures are available around the globe.
Employees from units where data protection is particularly relevant, such as human resources, sales, and development, are trained in person by the respective Local Compliance Officer or Local Compliance Responsible (either in classrooms or online). We produce annual training plans for units at the Group that are subject to high data protection risks. Participation in the training courses is documented as well.
The onboarding process for new managing directors at Group companies also includes an overview of Daimler’s Data Compliance Management System. All managers can also conduct their own independent study program using the data protection sections in the Corporate Governance Navigator on the Group intranet.
The local data protection compliance organization plays a key role in terms of compliance, consulting, and the implementation and monitoring of compliance measures. In addition to the aforementioned courses, our Local Compliance Officers and Local Compliance Responsibles at Group units with a medium or high data protection risk classification also take part in an interactive data compliance qualification program that runs for several days. In this program, they obtain basic knowledge about data protection law and receive instruction on how to handle specific tasks. Local Compliance Officers and Local Compliance Responsibles at Group units with a low data protection risk classification take part in a video-based training program with the same type of content.
We recognize and assess data-related risks and take precautionary measures
A key component of the Data Compliance Management System is the Data Compliance Risk Assessment, which is a systematic process conducted by the Data Compliance unit each year in order to identify, analyze, and evaluate data compliance risks at Daimler. The assessment is performed for both Group companies and corporate departments. The results of this analysis form the basis for managing and minimizing risks. They enable us to adopt a risk-based approach for the further development of our Data Compliance Management System.
The assessments are based on centrally compiled information on all units at the Group; specific additional details are taken into account in line with the given risk assessment. First, the Data Compliance unit makes an assessment on the basis of internal and external information. This includes, for example, an examination of data processing indicators that result from normal business operations and an analysis of the regulatory environment in the country in which the given Group unit is located. Data Compliance uses these indicators to determine whether the Group unit in question is exposed to particular risks and therefore needs to be looked at more closely. In such cases, Data Compliance also makes use of information from the Divisional/Regional Compliance Officers’ network for its risk classification. The Chief Compliance Officer and the Divisional/Regional Compliance Officers’ network confirm the results of the annual Data Compliance Risk Assessment and report these results to the Board of Management and Supervisory Board committees of Daimler AG, Mercedes-Benz AG, Daimler Truck AG, and Daimler Mobility AG.
We reduce information technology risks
The systematically pursued digitization strategy enables Daimler to utilize new opportunities to increase customer benefit and the value of the company. Nonetheless, the high penetration of information technology (IT) at all divisions also brings risks for their business and production processes, as well as for their services and products.
The ever-growing threat from cybercrime and the spread of aggressive malicious code brings risks that can affect the availability, integrity and confidentiality of information and IT-supported operating resources. Despite extensive precautions, in the worst-case scenario, this can lead to a temporary interruption of IT-supported business processes with severe negative effects on the Group’s earnings. In addition, the loss or misuse of sensitive data may under certain circumstances lead to a loss of reputation. In particular, stricter regulatory requirements such as the EU Data Protection Directive may, among other things, give rise to claims by third parties and result in costly regulatory requirements and penalties with an impact on earnings.
It is essential for the globally active Daimler Group and its wide-ranging business and production processes that information is available and can be exchanged in an up-to-date, complete and correct form. Daimler’s internal framework for IT security is based on international standards and its protective measures also apply industry standards and good practice. New regulatory requirements for cyber security and cyber security management systems are taken into account in the further development of our processes and policies. Appropriately secure IT systems and a reliable IT infrastructure must be used to protect information. Cyber threats must be identified over the entire lifecycle of applications and IT systems, and dealt with in line with their seriousness. Particular attention is paid to risks that could result in the interruption of business processes due to the failure of IT systems or which could cause the loss or corruption of data. The advancing digitization and connectivity of production equipment is accompanied by coordinated technical and organizational security measures.
Due to growing requirements concerning the confidentiality, integrity and availability of data, Daimler has implemented various preventive and corrective measures so that the related risks are minimized and possible damage is limited. For example, the Group reduces potential interruptions of operating processes in data centers by means of mirrored data sets, decentralized data storage, outsourced data backups and IT systems designed for high availability. Emergency plans are developed and employees are trained and regularly sensitized in order to maintain operating capability. Specific threats are analyzed and countermeasures are coordinated at a globally active Cyber Intelligence & Response Center. The protection of products and services against the danger of hacking and cybercrime is continually developed.
The possible impact and probability of occurrence of information-technology risks are unchanged compared to the previous year.
We systematically investigate all complaints
The Daimler Group has established a central round-the-clock reporting system for all incidents involving information security: the Information Security Incident Management Process. Employees and contractors are instructed to report all potential personal data breaches via this system. Incidents relating to data protection that occur at units subject to the provisions of the GDPR are addressed by the Corporate Data Protection unit, which is assisted in its investigations by local Incident Support. The Corporate Data Protection unit then issues a recommendation to the local management team as to whether supervisory authorities must be informed of the incident and whether those affected by it must be notified within the period stipulated by law. Local Incident Support departments handle incidents relating to data protection that occur at units that are not subject to the GDPR. Together with the local management teams, these departments decide whether supervisory authorities must be informed of an incident and whether those affected by it must be notified as well. Here, the Corporate Data Protection unit can be brought in for support at any time. The results of all investigations have to be submitted to the Corporate Data Protection unit for documentation purposes.
During the reporting year, a small number of cases were reported to the responsible regulatory authorities for data protection. The authorities did not take any measures against the company in response.
Along with its Incident Management Process, Daimler also has in place for all compliance issues a whistleblower process that employs a fair and adequate approach to investigate reports on incidents that pose a high risk to the company and its employees. The Data Compliance unit teaches all Local Compliance Officers and Local Compliance Responsibles how to address complaints. These courses provide information on both local data protection provisions and the requirements defined in the GDPR.
The contact details of the Chief Officer Corporate Data Protection are publicly available, and customers can direct their questions or concerns regarding data protection to him or his team at any time. The number of complaints received by Corporate Data Protection was lower than in the previous year. Data protection regulatory authorities conducted investigations in response to customer complaints. This figure was in the low single-digit range and was also lower than in the prior year. No measures were taken against the company as a result of any of these investigations.
How we assess the effectiveness of our management approach
Our Data Compliance Management System is being implemented continuously. An annual monitoring and reporting process helps us to investigate the extent to which the previously defined measures have been implemented and the associated goals have been reached. For example, our compliance organization continually assesses the adequacy and effectiveness of the Compliance Management System. We also document in our compliance reporting system any areas where action needs to be taken. In 2020 the effectiveness review showed that the implementation of the measures progressed considerably throughout the Group. Remaining areas of action were made transparent. The compliance organization uses the knowledge gained from the review to adjust the system to take into account changes to the risk situation and new legal requirements.