Customer Privacy6 min
As a technology-oriented company, we place great importance on safeguarding our customers’ rights to privacy and security.
Why it matters
Customers and business partners place a great deal of trust in dormakaba as a premium partner for access and security solutions. dormakaba takes the protection of data and information very seriously. Abuse and misuse of data and information can lead to major tangible and intangible damage due to, for example, relevant information being unavailable, rendered unusable or incorrect, or – in the worst-case scenario – made available or accessible to a malicious third party.
Read about how we ensure connectivity while securing data in this interview with Andreas Robbert, our Information Security OfficerRead interview
Safeguarding our customers’ rights to data protection and privacy includes obtaining data by lawful and fair means, protecting the personal data of customers by adequate information security safeguards and using customer data in sales responsibly. dormakaba also considers the proliferation of new technologies and security risks because we understand we have a responsibility to protect sensitive information against unauthorized access, loss or falsification. We place a strong focus on:
- Customer data
- Operating and business data
- IT systems
- Financial data
- Employee data
Considering all information and data available within dormakaba, we pursue the following security aims:
- Confidentiality: confirmation that access to information is limited to persons entitled to see it.
- Availability: entitled persons can access information during defined periods and from defined locations.
- Integrity: warranty that information is correct and complete.
The dormakaba Group Data Protection Officer, in cooperation with the Group Information Security Manager, oversees our approach to customer privacy.
Information Security Management System at the core
To meet our security aims, senior management introduced an Information Security Management System (ISMS) in line with best practice in the industry. Our Chief Technology Officer (CTO) also acts as the Chief Information Security Officer (CISO) within the ISMS. This management system is based on the international ISO/IEC standard 27001:2013, the most recognized standard in the field. Certification to the standard is planned in the financial year 2019/20. As outlined in the Group Directive Information Security, the goal of the ISMS is to achieve and maintain an adequate security level by leveraging risk management methods, continuous improvement and best practices – all adjusted to our needs. The risk management included in the ISMS is used to identify, assess and treat risks adequately.
Reporting to the CISO, the Group Information Security Manager is responsible for anticipating and assessing new threats related to information security risks. They are also responsible for implementing the necessary security levels for dormakaba, as defined by the Security Board in accordance to its Charter. Additionally, Information Security Coordinators (ISC) are responsible for the implementation of the ISMS within an assigned segment or Group function, and for providing support during security audits.
EU General Data Protection Regulation (GDPR)
In the financial years 2017/18 and 2018/19, we focused on aligning internal compliance processes to the new EU General Data Protection Regulation (GDPR). The GDPR aims primarily to give control to citizens and residents over their personal data, bringing with it a new set of "digital rights" for EU citizens at a time when the digital economy places increasing economic value on personal data.
We have set ourselves three objectives:
- Compliance with requirements: the legal and contractual requirements for the protection of personal data are adequately implemented and complied with at all times
- Embedding in the organization: the protection of personal data is a central component of all projects, activities and processes in which this data is processed
- Continuous improvement: guidelines, procedures, measures and structures for the protection of personal data follow uniform principles and are continuously further developed and adapted to changing conditions
Raising employee awareness
We are aware that technological advances in IT security cannot always guarantee the security of the entire business environment, as human behavior can affect information security and the associated risks. Phishing and other social engineering techniques use the human risk factor. In 2019, the trend has continued for such attacks. Attackers are even using technologies such as artificial intelligence to develop their attack scenarios and make fraudulent e-mails and messages appear more real to the victim.
However, people can learn to deal with risks in a professional and smart way. Raising employee awareness of information security risks is a continuous process that, if done correctly, turns the root of the problem into part of the solution. With our information security training programs, in which all our employees must participate, we not only train our employees to recognize suspicious messages, phone calls, and other social engineering tactics; we are also building a culture of cyber security that enables us to manage our risks in a targeted and effective way.
The financial year 2018/19 has been marked by the development of frameworks for Cyber Risk Management, the implementation of a highly professional security operations center with a focus on threat detection and response, and the mitigation of information security risks through Group-wide security training in order to strengthen employee awareness.
There have been no reported incidents nor substantiated complaints concerning breaches of customer privacy or losses of customer data within the financial year 2018/19.
Now that we have established the foundation of our ISMS, we plan to further expand its capacity to achieve our long-term goals and protect our customers data and information. As regards data protection, employees will be provided with a basic data protection eLearning training in autumn 2019.
Ensuring connectivity while securing data
An interview with Andreas Robbert, dormakaba Information Security Officer
For a long time, the trend has been toward internet-based solutions and contactless access media, which are an ideal complement to traditional mechanical keys to access rooms. The use of smartphones is becoming increasingly important too in applications such as accessing hotel rooms. Clearly this brings additional customer benefits, but data security and data protection are the crucial issues. How do you see the connection of data privacy to the two dormakaba values Customer First and Trust?
Trust is not only our brand promise but also a key value in the area of information security and the protection of private data. What our customers expect from us is fully in line with our plans to operate an ISMS that will make our environment, and thus our products, safer and more reliable. With the increasing importance of data protection within the framework of the GDPR, we were already on the right track. For us, data protection is not an additional burden, but an opportunity – an opportunity to strengthen our products and our brand and thus prepare our customers for the future.
Where do you see the biggest challenges related to customer privacy? How has the General Data Protection Regulation impacted the company’s work?
We need to prepare for GDPR-like regulations. Other countries outside the EU already have their own regulations or laws, which sometimes orient themselves toward the GDPR or away from it. Therefore, it is crucial that we consider our information security and data protection management systems under these aspects as well, and in areas that are important to our business. This work is vital to ensuring we meet our compliance obligations and to improving the awareness of our employees.
Where do you see opportunities for dormakaba in the area of technology-driven growth, e.g. Internet of Things and connected security products?
Our mission is to make access in life smart and secure. We are confident that building management will evolve from on-premise systems to connected, on-demand, and cloud-based solutions. This should create more efficient possibilities for the operation of buildings and also facilitate integration with partners who complement our offerings, e.g. integration of video, alarm or building control systems. We have created the basis for offering data-centric services such as descriptive, predictive and prescriptive services that complement our current product offering. With all of these new developments, it is very important to us that we remain focused on data protection and information security.