Data privacy and security
Data protection in the digital age
For DNV GL, data security is a natural extension of our purpose within the digital age – ‘to safeguard life, property and the environment.
DNV GL is a strong advocate for digital technology. We believe in harnessing its benefits to improve how we operate and to make a difference to our customers and wider society. At the same time, there are clear risks to be managed relating to cyber-crime and data protection, and these are high priorities for our stakeholders. For DNV GL, data security is a natural extension of our purpose within the digital age – ‘to safeguard life, property and the environment’.
To mitigate digital and data risks we focus on ensuring our own cyber security and using our skills to help customers do the same. Alongside digital security, our data protection management system works to protect the right to privacy of our employees, customers, suppliers and business partners in line with the European General Data Protection Regulation (GDPR).
In March 2019, we set a heightened state of IT security and activated our Computer Emergency Response Team as a precautionary measure due to a ransomware attack on a large Norwegian enterprise, a customer of DNV GL. After three days we restored normal IT security levels. During the period of heightened security, we quarantined all e-mails from the customer and enabled Safe Links capabilities in our software to validate the safety of website links before end-users could open the webpage. We also ensured that all VerIT computers connected to the DNV GL IT platform had up-to-date antivirus and that the computers were patched properly.
Open All
Close All
-
Awareness and training
Maintaining high levels of awareness is critical to successful data protection. During 2019, we provided further data protection training for our employees. Until year-end, over 6,600 employees have completed an e-learning on data protection and over 1,000 an e-learning on handling data breaches. At our Global Shared Service (GSS) Centre in Poland, workshops with finance and human resources focused on handling personal data breaches and local requirements of Polish data protection law.
Our GSS Quality Management function ran training in GSS units on storage for personal data. Finally, in 2019, targeted Human Resources training has been provided by Group Compliance to business area and GSS human resources employees to increase awareness on matters of relevance. These include privacy when handling employee images and badges, and payroll and health data, as well as privacy in recruitment processes, performance and talent management. The training has been completed by around 500 employees.
-
Data risks
To ensure our approach remains focused on risks for data subjects – any person whose personal data is collected or stored – we started a risk assessment process in 2019. Stakeholders from around DNV GL have been asked to identify personal data risks in their area of the business so that mitigation measures can be defined in 2020. We have identified risks in 12 main categories, including: governance and accountability; data flows and data transfer; security and Privacy by Design; data subjects’ rights; and training and awareness.
-
Personal data protection
Following the alignment of our data protection approach with GDPR in 2018, we continued to improve our data protection management system in 2019 and ensure it is fully established throughout the business. To support this, the Group Compliance function has convened a cross-business network to improve communication on data protection, create common under-standing on legal requirements and promote alignment across DNV GL. All business areas, Group functions and our Global Shared Services unit are represented on the network.Through the network, advice on data protection measures is shared and progress is reported back to Group Compliance.
The network met twice in 2019 and uses a digital collaboration tool to communicate new developments in data protection. Business areas and GSS are responsible for implementing data protection measures and Group Compliance provides a centralized governance function. All business areas have conducted data protection risk assessments and have incorporated personal data risk into their business area risk management processes.
Data privacy remains an essential part of ensuring legal compliance. We maintain our understanding of the data protection landscape through our data protection network, external train-ing, legal advice and monitoring cases raised by data protection authorities in the countries and regions where we operate.
In Brazil, a new personal data protection law, very similar to GDPR, will come into force in August 2020. This reflects a growing global trend of countries establishing national data protection laws. Before the deadline in Brazil, Group Compliance will support the local implementation team to ensure a smooth transition to compliance with the new requirements.
Continuing the risk assessment started in 2019, we will focus our attention in 2020 on the areas of high risk for data subjects that we have identified. These include lifecycle management of applications from launch to end-of-life, roles and responsibilities linked to personal data, and unstructured data outside of production systems, such as SharePoint or Excel applications. We will also continue to focus on emerging financial or reputa-tional risks related to data protection identified through our risk assessments.
Internally, we will ensure we maintain high awareness of cyber security and data protection issues and our approach.
Open All
Close All
-
Personal data protection
DNV GL has an established data protection management system that is in line with the ISO 19600 standard on compli-ance management. Responsibility for data protection sits with Group Compliance and the Global Data Protection Officer.
We have a comprehensive suite of policies, guidelines and instructions that set our standards for data privacy and ensure we protect the personal data of employees and customers. All of our documentation and processes are aligned with, and fulfil, GDPR requirements. An important enabler for data protection is training all employees, and particularly those dealing with personal data as part of their daily work.
Customer data is handled in accordance with the confiden-tiality obligations outlined in the terms and conditions of our customer contracts. We are also a Binding Corporate Rules (BCR) certified company, meaning that customer and employee data can be transferred within DNV GL Group to countries outside the European Union and European Economic Area.
-
IT and data security
Our Global Shared Services IT function invests significant resources in continuously monitoring and repairing IT-system vulnerabilities, following best practices on patching. We work on the cyber-security principle of ‘assume breach’. This principle assumes that competent and resourceful attackers will be able to break into our systems and we therefore direct resources into our ability to detect and mitigate such security breaches.
During a typical month DNV GL’s security system will stop 200,000–300,000 phishing attacks and 40,000–50,000 instances of payload / malware. We use machine learning to develop smarter algorithms with our main IT vendor, IBM, to identify which of these pose the most significant threats in order to detect and prevent cyber attacks. Most attack attempts on DNV GL use email as the attack vector and, as a result, we believe that investing in employees’ cyber security awareness and competence is essential.
To ensure that DNV GL adheres to the highest level of data protection, our information security management systems for GSS IT, Energy, Oil & Gas, Digital Solutions and Maritime are certified to the ISO 27001 information security standard. We have a detailed information classification system to segment and secure more sensitive information within our IT system.
Our GSS IT department operates a Computer Emer-gency Response Team that is activated during more complex and advanced cyber security situations.