Compliant handling of information is highly important for a leading innovative, science- and technology-driven company. When using personal data, the individuals’ rights must be appropriately protected. We strive to safeguard the rights of any person whose data we process, including but not limited to our employees, patients, customers and healthcare professionals. When it comes to cyber security, our company understands the importance of protecting our business from cybercrime and ensuring our information is secure from any associated internal and external risks.
Our approach to data privacy
The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and ensuring compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.
Our data privacy management system
In mid-2023, we completed the implementation of the core elements of our global and consistent data privacy management system (DPMS). Our DPMS applies similar elements to the compliance portfolio but adapted to our data privacy needs, including policies and procedures, risk assessments and documentation, training and awareness, programs and tools, individual requests, monitoring and reporting, and incident management as well as continuous improvement.
Our approach to cyber security
It is of critical importance to our business to protect our information systems, their contents and our communication channels against any criminal or unwanted activities. These include e-crime and cyberattacks, such as unauthorized access, information leakage and misuse of data or systems.
Information security risk assessments are conducted as part of our project management process for all relevant projects. Additionally, existing applications classified as “severe” or “high-impact” assets undergo this kind of risk assessment. The results are monitored by the Cyber Security organization through an internal cyber risk register. If cyber risks are identified, risk treatment strategies are agreed together with the respective asset owners and tracked until completion. Identified cyber security risks are reported in aggregated form to the Executive Board twice per year through our enterprise risk reporting.
Roles and responsibilities
Group Data Privacy is an independent function, organizationally integrated into Group Compliance and Data Privacy. We have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers and their respective teams act independently and without receiving internal or external instructions. Group Data Privacy regularly prepares data privacy updates and a comprehensive data privacy report. This report is submitted to the Executive Board and the Supervisory Board.
Cyber security is part of our Group Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors and Group functions who hold risk ownership, act as our first line of cyber security defense and are supported by dedicated networks. Our global Cyber Security function acts as a second line of defense and has responsibilities regarding cyber security risk governance and oversight. Our third line of defense consists of internal audits.
Our Cyber Security organization strengthens resilience against cyberattacks and data breaches. It defines policies and standards for cyber security (including data security) while providing oversight, tools and systems to manage and monitor our overall cyber security risk exposure. The organization is also responsible for providing cyber security monitoring and incident response capabilities across the entire company. Additionally, we train our employees on how to protect data properly.
Our commitment: Guidelines and standards
Data privacy framework
Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers, and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We are also taking steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.
Cyber security framework
Our Group cyber security governance framework contains organizational, process-related and technical information security countermeasures based on recognized international standards. In addition, we apply harmonized electronic and physical security controls (e.g. access controls and security monitoring) to bolster our ability to securely handle sensitive data, such as trade secrets.
Data privacy training and IT tools for documentation
In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. In 2023, the completion rate for our e-learning courses was 99%. Additionally, local Data Privacy Officers support the execution of our Group-wide training plan by conducting training for specific target groups on request. Furthermore, we reinforced the importance of data privacy to all employees by promoting Data Privacy Day in 2023 via our internal communication channels.
We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2023, we reported seven cases of minor personal data breaches to the supervisory authority. One of them related to identified data leaks, theft, or loss of customer data. However, none of these cases were sanctioned.
Cyber security awareness
The Cyber Security organization has established multiple campaigns – in addition to the mandatory IT Security Awareness e-learning training – to ensure a high level of awareness among internal and external employees. One example is the cyber hero campaign, which features a series of videos demonstrating how to apply information security effectively through real-life examples. In addition, all employees receive monthly phishing e-mail simulations to help them identify and report potential attempted breaches in an interactive way.