This is how Deutsche Telekom ensures a high level of data protection.
Audits and certifications
In order to reinforce data protection and data security in the Group, Deutsche Telekom regularly carries out relevant internal audits and certifications of corporate departments. To do so, the company uses a system of audits and certifications by external and internal experts. It plays a pioneering role here: In the telecommunications industry, certification of individual corporate departments is still the exception.
That is why Deutsche Telekom also welcomes the fact that European legislators have recognised the importance of certifications. It calls for the introduction of data protection specific certification procedures as well as data protection labels and data protection test marks with Article 42 GDPR.
Internal Audit, Group Privacy and Central Security Management alone conduct several hundred audits on data protection and security per year: Here, for example, it is examined whether only the necessary data is saved and also deleted after expiry of the limitation of purpose. This year, a special focus was placed on checking the effectiveness of the implemented anonymization procedures. Additional audits are aimed at securing the information and network technologies within the Group. For example, the implementation of the authorization, data protection, and security concepts are reviewed throughout the Group in order to identify any gaps. These gaps can arise through security deficiencies in software solutions. Once identified, the deficiencies are immediately cleared with the aid of industrial partners.
The results of the different audits ensure a high level of data protection and security. They either prove the effectiveness of internal systems and processes or help to identify and remedy any weak points early.
Certification is a procedure that is used by external, independent bodies such as TÜV, DEKRA, or auditing firms. It proves that requirements of products, services, and their respective manufacturing procedures, including trade relationships, people, and systems, are being adhered to.
- In 2014, auditors from Deloitte & Touche confirmed the effectiveness of Deutsche Telekom's data protection-related Compliance Management System (CMS). Deutsche Telekom thereby became the first company in Germany to be certified in accordance with IDW PS 980, the audit standard of the Institut der Wirtschaftsprüfer in Deutschland e.V. (the Institute of Independent Auditors in Germany). The CMS describes the measures, processes, and audits with which the data protection organization of Deutsche Telekom ensures compliance with laws, regulations, and voluntary agreements in Group data protection.
Before the certification, the auditors analyzed the data protection organization throughout the Group over three months and checked whether the processes and systems used are effective. Result: All measures described in CMS are effectively implemented. On September 30, 2014, the auditors of Deutsche Telekom AG, Telekom Deutschland GmbH, and its majority holdings, along with T-Systems International GmbH and its majority holdings, confirmed the effectiveness of the CMS.
- The invoice process was also certified. Telekom Deutschland GmbH is also the first, and so far the only, telecommunications company to have its entire accounting process in fixed-line services audited and certified by independent TÜViT experts. The process involves collecting and processing all data generated for over 27 million customers who conduct daily telephone calls over the fixed network of Deutsche Telekom.
- The central security management system and parts of Telekom Deutschland GmbH were awarded a certification according to the international ISO 27001 standard. This confirms the compliance with specifications for the security of information management systems, products, customer interaction, and internal processes.
The Open Telekom Cloud is also certified according to the Trusted Cloud Data Protection Profile for Cloud Services (TCDP). This test standard meets the data protection requirements of the German Federal Data Protection Act for Cloud Computing.
Deutsche Telekom actively supports the research project AUDITOR, which is currently developing a standard for the data protection certification of cloud services according to the GDPR as a follow-up project to the Trusted Cloud project.
Telecommunication companies must train their employees on data protection law when they begin their employment. Deutsche Telekom goes beyond this requirement: Every two years, it trains all of its employees in Germany and commits them to data protection and telephone confidentiality laws. Besides the prescribed training sessions, the Group trains employees on special data protection topics in the customer and HR areas. This ensures that all employees regularly and lastingly take on board the necessity to comply with the data protection provisions.
In addition to this, online tools are available to the employees with self-study documentation, data protection presentations and face-to-face sessions with specific emphases - e.g., customer data protection, personnel data protection, and data protection in call centers.