Customer Privacy

As a technology-oriented company, we place great importance on safeguarding our customers’ rights to privacy and security.

Why it matters

Customers and business partners place a great deal of trust in dormakaba as a premium partner for access and security solutions. dormakaba takes the protection of data and information very seriously. Abuse and misuse of data and information can lead to major tangible and intangible damage due to, for example, relevant information being unavailable, rendered unusable or incorrect, or – in the worst-case scenario – made available or accessible to a malicious third party.

Key activities

Safeguarding our customers’ rights to data protection and privacy includes obtaining data by lawful and fair means, protecting the personal data of customers by adequate information security safeguards and using customer data in sales responsibly. dormakaba also considers the proliferation of new technologies and security risks because we understand we have a responsibility to protect sensitive information against unauthorized access, loss or falsification. We place a strong focus on:

• Customer data
• Operating and business data
• IT systems
• Financial data
• Employee data

Considering all information and data available within dormakaba, we pursue the following security aims:

• Confidentiality: confirmation that access to information is limited to persons entitled to see it.
• Availability: entitled persons can access information during defined periods and from defined locations.
• Integrity: warranty that information is correct and complete.

The dormakaba Group Data Protection Officer, in cooperation with the Group Information Security Manager, oversees our approach to customer privacy.

Information Security Management System at the core

To meet our security aims, senior management introduced an Information Security Management System (ISMS) in line with best practice in the industry. Our Chief Technology Officer (CTO) also acts as the Chief Information Security Officer (CISO) within the ISMS. This management system is based on the international ISO/IEC standard 27001:2013, the most recognized standard in the field. Certification to the standard was achieved in the financial year 2019/20. As outlined in the Group Directive Information Security, the goal of the ISMS is to achieve and maintain an adequate security level by leveraging risk management methods, continuous improvement and best practices – all adjusted to our needs. The risk management included in the ISMS is used to identify, assess and treat risks adequately.

Reporting to the CISO, the Group Information Security Manager is responsible for anticipating and assessing new threats related to information security risks. They are also responsible for implementing the necessary security levels for dormakaba, as defined by the Security Board in accordance to its Charter. Additionally, Information Security Coordinators (ISC) are responsible for the implementation of the ISMS within an assigned segment or Group function, and for providing support during security audits.

EU General Data Protection Regulation (GDPR)

Our internal compliance processes are aligned with the EU General Data Protection Regulation (GDPR). The GDPR aims primarily to give control to citizens and residents over their personal data, bringing with it a new set of "digital rights" for EU citizens at a time when the digital economy places increasing economic value on personal data.

We have set ourselves three objectives:

• Compliance with requirements: the legal and contractual requirements for the protection of personal data are adequately implemented and complied with at all times.
• Embedding in the organization: the protection of personal data is a central component of all projects, activities and processes in which this data is processed.
• Continuous improvement: guidelines, procedures, measures and structures for the protection of personal data follow uniform principles and are continuously further developed and adapted to changing conditions.

Raising employee awareness

We are aware that technological advances in IT security cannot always guarantee the security of the entire business environment, as human behavior can affect information security and the associated risks. Phishing and other social engineering techniques use the human risk factor. In the financial year 2019/20, the trend has continued for such attacks, and we are seeing an increase in ransomware in society. Attackers are even using technologies such as artificial intelligence to develop their attack scenarios and make fraudulent e-mails and messages appear more real to the victim.

However, people can learn to deal with risks in a professional and smart way. Raising employee awareness of information security risks is a continuous process that, if done correctly, turns the root of the problem into part of the solution. With our information security training programs, in which all our employees must participate, we not only train our employees to recognize suspicious messages, phone calls, and other social engineering tactics; we are also building a culture of cyber security that enables us to manage our risks in a targeted and effective way. The training series is made up of four modules: Information Security; Phishing; Social Engineering; and Cyber Security.

Our performance

We have achieved ISO 27001 certification in the financial year 2019/20 as planned. The scope of the certification covers Group IT, and dormakaba digital and digital-based product development such as for the Electronic Access & Data and Safe Locks product clusters in the scope of the certification.

We have continued the mitigation of information security risks through Group-wide security training in order to strengthen employee awareness. A new eLearning for data protection, which is available in five languages, was completed by around 2600 employees in the financial year 2019/20.

As part of the GDPR implementation project, we have established a Data Protection Management System (DPMS), a manual and a document library to serve all employees. A new process was developed whereby project managers must carry out GDPR assessments prior to any project being activated. This also applies to the development of new products or apps. Product managers are provided with a guideline of GDPR requirements, including of the legal requirement of applying Privacy by Design and Privacy by Default in the development process. 

There have been no reported incidents nor substantiated complaints concerning breaches of customer privacy or losses of customer data within the financial year 2019/20.

Outlook

We will be publishing four new Directives setting out the internal rules and regulations for data protection early in the financial year 2020/21 and expand the data privacy organization in Norway and Switzerland. A reporting process with corresponding key performance indicators (KPIs) is currently being developed in order to provide standardized reports. The KPIs will be used to manage, monitor and improve the data protection organization and the DPMS. We also plan to expand the scope of our ISO 27001 certification and perform penetration tests to assess potential vulnerabilities in our infrastructure.