Compliant handling of information is highly important for a leading innovative, science- and technology-driven company. When using personal data, the individuals’ rights must be appropriately protected. We strive to safeguard the rights of any person whose data we process, including but not limited to our employees, patients, customers, and healthcare professionals. When it comes to cyber security, our company understands the importance of protecting our business from cybercrime and ensuring our information is secure from any associated internal and external risks.
Our approach to data privacy
The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps to train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and ensuring compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.
Our approach to cyber security
It is of critical importance for our business that we protect our information systems, their contents, and our communication channels against any criminal or unwanted activities. These include e-crime and cyberattacks, such as unauthorized access, information leakage and misuse of data or systems.
Roles and responsibilities
Group Data Privacy is an independent function, organizationally integrated into Group Compliance and Data Privacy. We have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers and their respective teams act independently and without receiving internal or external instructions. Group Data Privacy regularly prepares data privacy updates and a comprehensive data privacy report. This report is submitted to the Executive Board and the Supervisory Board.
Cyber Security is part of our Group Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors, each in turn supported by dedicated networks. The individual sectors hold risk ownership and act as our first line of cyber security defense. Our Global Cyber Security function acts as a second line of defense and has responsibilities regarding cyber security risk governance and oversight. Our third line of defense comprises internal audits.
Our Data Privacy Management System
Our goal is to complete the implementation of a global and consistent data privacy management system (DPMS) by mid-2023. Our DPMS applies similar elements as the compliance portfolio but adapted to the needs of data privacy. These include policies and procedures, risk assessment and documentation, training and awareness, programs and tools, individual requests, monitoring and reporting, incident management, and continuous improvement.
New Cyber Security organization
At the beginning of 2022, we created a new Cyber Security organization with a mandate to improve trust and strengthen resilience against cyberattacks and data breaches.
Our Cyber Security team defines policies and standards for cyber security (including data security) while providing oversight, tools and systems to manage and monitor our overall cyber security risk exposure. The team is also responsible for providing 24/7 cyber security monitoring and incident response capabilities across the entire company environment as well as training employees across the organization on how to protect data appropriately.
Our commitment: Guidelines and standards
Data Privacy Framework
Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers, and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We are also taking steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.
Cyber Security Framework
Our Group Cyber Security governance framework comprises organizational, process-related and technical information security countermeasures based on recognized international standards. In addition, we apply harmonized electronic and physical security controls (e.g. access control and security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.
Data privacy training
In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. In 2022, the completion rate for our e-learning courses was 98%. Additionally, Local Data Privacy Officers support the execution of our Group-wide training plan by conducting training for specific target groups on request.
IT tools for documentation
We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2022, we rolled out a new data privacy tool. Additionally, we use our corporate intranet for further communication, including answering data privacy questions and providing standardized templates. In 2022, we registered no sanctioned complaints or incidents concerning breaches of customer privacy, data leaks, theft, or loss of customer data. In three out of 57 cases, minor personal data breaches were reported to the supervisory authority. These were not sanctioned.
Cyber Security Awareness
The Cyber Security organization has established multiple campaigns – in addition to the mandatory IT Security Awareness e-learning training – to ensure a high level of awareness among internal and external employees. One example is the cyber hero campaign, which features a series of videos demonstrating how to apply information security effectively through real-life examples. In addition, all employees receive monthly phishing e-mail simulations to learn how to identify and report potential attempted breaches in an interactive way.