At Naspers, we recognise that privacy is an important value and an essential element of public trust.
We strive to be a trusted company and expect all our businesses to aspire to the same status. We expect each business to implement responsible data-privacy practices in a way that is adapted to its own circumstances, which considers its business model, the cultures of the countries in which it operates, its compliance obligations, and its human and financial resources.
A groupwide policy
Our policy on data-privacy governance sets out the responsibilities, principles and programmes for ensuring data privacy across the Naspers group. It is designed to define and document how data privacy is managed in the group; to promote best practice; to accommodate the different business models, resources, culture and legal requirements across the group; and to support trust in our businesses’ products and services.
The critical foundation is to give clear accountability to individual businesses. Each business is directly responsible for managing data privacy in its organisation. This responsibility rests ultimately with the CEOs of each business – they lead in implementing the group’s policy and are directly accountable for the data-protection programmes and privacy standards in their organisations.
This approach to data privacy aligns with Naspers’s model of decentralised governance and broader belief in encouraging great leaders and businesses to excel. We believe setting the right shared principles and giving businesses the direct responsibility to enact them is the best way to have a greater long-term positive impact. More broadly, we are fostering a culture of data privacy and looking to businesses to ensure privacy by design, where privacy becomes part of the fabric of day-to-day work rather than an add-on.
Seven data-privacy principles
Each business is expected to respect and implement seven core data-privacy principles. Widely recognised internationally as fair information privacy principles, they are ethical guidelines for the responsible use of data. Critically, they are both universal and able to be applied to the different businesses in the group – from established global players to startups in jurisdictions that may not yet have a data-privacy law.
SEVEN DATA-PRIVACY PRINCIPLES:
We offer appropriate notice about our data-privacy practices.
2 Individual control
We honour data subjects’ choices regarding their personal data.
3 Respect for context
We recognise that data subjects’ expectations about fair and ethical use of their personal data is informed by the context in which their data was first collected.
4 Limited sharing
We limit unnecessary personal data sharing with third parties.
We retain personal data only for as long as we need it.
We ensure appropriate security.
We engage with governments and data-protection authorities.
To help businesses put the principles into practice, we have a data-privacy programme designed to scale to their different needs and circumstances. This ensures that our core data-privacy commitment and approach is followed in ways that really work for our businesses. The programme has seven key elements: ensuring executive buy-in; knowing your data; setting policies; training employees; managing vendors and third parties; legal compliance; and reporting.
Supporting and monitoring
The group’s data-privacy office supports and monitors the businesses. Help ranges from guidance on implementing the data-privacy programme, a secondment programme that develops and trains future privacy leaders nominated by companies within the group, and advice on any data-privacy implications of mergers and acquisitions.
This year we formalised the appointment of data-protection officers in the businesses. Regular calls and meetings take place with the officers ensuring data-privacy best practice is shared across the group.
We also deployed new technology, including automated data-mapping and record-keeping, to facilitate the requirement to know your data – an increasingly complex challenge in businesses that are growing fast.
In addition, we deployed internal audit resources to verify data privacy to ensure that what is reported to the group matches what is happening in the businesses.
Doing the best for our customers and the group
Implementation of our data-privacy programme continues to evolve across the businesses in the group. As well as meeting specific requirements, notably the GDPR in the EU, we are driving for comprehensive data-privacy and protection throughout the group, around the world.
Understanding that there is always more to do and more to learn, we never stop striving to ensure good data-privacy practices so that we can do the best for our customers and the group.