Spotlight on data privacy


At Naspers, we recognise that privacy is an important value and an essential element of public trust.

We strive to be a trusted company and expect all our businesses to aspire to the same status. We expect each business to implement responsible data-privacy practices in a way that is adapted to its own circumstances, which considers its business model, the cultures of the countries in which it operates, its compliance obligations, and its human and financial resources.

A groupwide policy

Our policy on data-privacy governance sets out the responsibilities, principles and programmes for ensuring data privacy across the Naspers group. It is designed to define and document how data privacy is managed in the group; to promote best practice; to accommodate the different business models, resources, culture and legal requirements across the group; and to support trust in our businesses’ products and services.

Clear accountability

The critical foundation is to give clear accountability to individual businesses. Each business is directly responsible for managing data privacy in its organisation. This responsibility rests ultimately with the CEOs of each business – they lead in implementing the group’s policy and are directly accountable for the data-protection programmes and privacy standards in their organisations.

This approach to data privacy aligns with Naspers’s model of decentralised governance and broader belief in encouraging great leaders and businesses to excel. We believe setting the right shared principles and giving businesses the direct responsibility to enact them is the best way to have a greater long-term positive impact. More broadly, we are fostering a culture of data privacy and looking to businesses to ensure privacy by design, where privacy becomes part of the fabric of day-to-day work rather than an add-on.

Seven data-privacy principles

Each business is expected to respect and implement seven core data-privacy principles. Widely recognised internationally as fair information privacy principles, they are ethical guidelines for the responsible use of data. Critically, they are both universal and able to be applied to the different businesses in the group – from established global players to startups in jurisdictions that may not yet have a data-privacy law.

SEVEN DATA-PRIVACY PRINCIPLES:

1 Notice

We offer appropriate notice about our data-privacy practices.

2 Individual control

We honour data subjects’ choices regarding their personal data.

3 Respect for context

We recognise that data subjects’ expectations about fair and ethical use of their personal data is informed by the context in which their data was first collected.

4 Limited sharing

We limit unnecessary personal data sharing with third parties.

5 Retention

We retain personal data only for as long as we need it.

6 Security

We ensure appropriate security.

7 Governments

We engage with governments and data-protection authorities.

Data-privacy programme

To help businesses put the principles into practice, we have a data-privacy programme designed to scale to their different needs and circumstances. This ensures that our core data-privacy commitment and approach is followed in ways that really work for our businesses. The programme has seven key elements: ensuring executive buy-in; knowing your data; setting policies; training employees; managing vendors and third parties; legal compliance; and reporting.

Supporting and monitoring

The group’s data-privacy office supports and monitors the businesses. Help ranges from guidance on implementing the data-privacy programme, a secondment programme that develops and trains future privacy leaders nominated by companies within the group, and advice on any data-privacy implications of mergers and acquisitions.

Businesses provide regular privacy and security reports to group executives as an integral part of ongoing business reviews. The board’s risk committee reviews the data-privacy policy and its implementation annually as part of its oversight and governance responsibilities.

Implementing enhancements

This year we formalised the appointment of data-protection officers in the businesses. Regular calls and meetings take place with the officers ensuring data-privacy best practice is shared across the group.

We also deployed new technology, including automated data-mapping and record-keeping, to facilitate the requirement to know your data – an increasingly complex challenge in businesses that are growing fast.

In addition, we deployed internal audit resources to verify data privacy to ensure that what is reported to the group matches what is happening in the businesses.

Doing the best for our customers and the group

Implementation of our data-privacy programme continues to evolve across the businesses in the group. As well as meeting specific requirements, notably the GDPR in the EU, we are driving for comprehensive data-privacy and protection throughout the group, around the world.

Understanding that there is always more to do and more to learn, we never stop striving to ensure good data-privacy practices so that we can do the best for our customers and the group.

For many years we have viewed data privacy as an important strategic area for Naspers, not only in terms of good governance and risk management, but to do the right thing and build trust with our key stakeholders. Accordingly, we have a comprehensive data-privacy governance policy and a privacy programme designed to ensure the vast amount of data across the different businesses within the group is protected and managed.