Data security and privacy protection
As the world becomes more digital and an ever-increasing number of operations are handled electronically, cybersecurity is absolutely necessary for individuals, services and products alike. The reliability and data security of our ICT services and processes are even more important.
Ensuring the confidentiality of communication, protecting the privacy of individuals and verifying online security are crucial issues for us.
Elisa’s data security policies define the principles, roles and responsibilities that are followed in data security development, maintenance and monitoring. The policies are binding on Elisa, its subsidiaries and, via agreements, Elisa’s suppliers and subcontractors.
The Elisa Group Security Board makes decisions about the security policies and monitors the management of key security risks. Elisa’s security organisation consists of the corporate security organisation and the security functions of the business units. The corporate security organisation manages the separate privacy protection, data security and operational security groups that coordinate our security operations.
We perform regular data security scans and inspections of our systems. We seek to identify any attempt to breach data security at the earliest possible phase and to repair recognised vulnerabilities or other threats. We use a separate operating model for the management of data security disturbances and exceptional situations. We communicate any measures related to the data security of our services in the most appropriate manner, on our website or through customer bulletins, for example. We also report incidents to the authorities.
The liability for privacy protection related to products and services and other security aspects rests primarily with the business units. The task of the Privacy Group, in turn, is to provide instructions and supervise issues related to privacy protection, and to ensure, among other things, that statutory information about our customer register is up to date. Processing personal data is strongly regulated under Finnish law and the regulations and guidelines of the relevant authorities. We disclose customer information only to the authorities or other telecommunication companies, and only within the limits of legislation and in accordance with the description of our customer register. Our personnel and partners continuously receive training on data protection and security, and they are bound by confidentiality obligations.
As a producer of national critical infrastructure, we plan our services and implement our systems by also taking account of preparation, continuity and security aspects. We cooperate with the authorities, other companies and business organisations in preparation and the development of cybersecurity.
Key measures and their results in 2016
- The EU General Data Protection Regulation entered into force in 2016 with a transition period of two years. Elisa started preparations for the new requirements in 2013 and proceeded according to schedule, specifying and changing its operations in the necessary manner to ensure compliance with the Regulation.
- The Finnish Communications Regulatory Authority did not issue any requests for clarification on data protection. There may have been some substantiated complaints regarding breaches of customer privacy and losses of customer data in the Elisa Group over the course of the year, but none were reported to the parent company. We are working on improving reporting practices to cover all the substantiated complaints regarding the matter.
- Some of Elisa customers have been subjected to phishing attacks. Phishing is a criminal activity aimed at gathering confidential information, such as email IDs, passwords and payment card details. Elisa has issued instructions to its customers to prevent phishing. The instructions and more information are available on our website.