GRI 418: Customer Privacy 2016
EFFECTIVE DATE: 1 JULY 2018
Introduction
GRI 418: Customer Privacy 2016 contains disclosures for organizations to report information about their impacts related to customer privacy, and how they manage these impacts.
The Standard is structured as follows:
- Section 1 contains a requirement, which provides information about how the organization manages its customer privacy-related impacts.
- Section 2 contains one disclosure, which provides information about the organization’s customer privacy-related impacts.
- The Glossary contains defined terms with a specific meaning when used in the GRI Standards. The terms are underlined in the text of the GRI Standards and linked to the definitions.
- The Biblogrpahy lists authoritative intergovernmental instruments used in developing this Standard.
Background on the topic
This Standard addresses the topic of customer privacy, including losses of customer data and breaches of customer privacy. These can result from non-compliance with existing laws, regulations and/or other voluntary standards regarding the protection of customer privacy.
These concepts are covered in key instruments of the Organisation for Economic Co-operation and Development: see the Bibliography.
1. Topic management disclosures
An organization reporting in accordance with the GRI Standards is required to report how it manages each of its material topics.
An organization that has determined customer privacy to be a material topic is required to report how it manages the topic using Disclosure 3-3 in GRI 3: Material Topics 2021 (see clause 1.1 in this section).
This section is therefore designed to supplement – and not replace – Disclosure 3-3 in GRI 3.
REQUIREMENTS
- 1.1 The reporting organization shall report how it manages customer privacy using Disclosure 3-3 in GRI 3: Material Topics 2021.
2. Topic disclosures
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
REQUIREMENTS
The reporting organization shall report the following information:
- a. Total number of substantiated complaints received concerning breaches of customer privacy, categorized by:
- i. complaints received from outside parties and substantiated by the organization;
- ii. complaints from regulatory bodies.
- b. Total number of identified leaks, thefts, or losses of customer data.
- c. If the organization has not identified any substantiated complaints, a brief statement of this fact is sufficient.
Compilation requirements
- 2.1 When compiling the information specified in Disclosure 418-1, the reporting organization shall indicate if a substantial number of these breaches relate to events in preceding years.
GUIDANCE
Background
Protection of customer privacy is a generally recognized goal in national regulations and organizational policies. As set out in the Organisation for Economic Co-operation and Development (OECD) OECD Guidelines for Multinational Enterprises, organizations are expected to ‘respect consumer privacy and take reasonable measures to ensure the security of personal data that they collect, store, process or disseminate’.
To protect customer privacy, an organization is expected to limit its collection of personal data, to collect data by lawful means, and to be transparent about how data are gathered, used, and secured. The organization is also expected to not disclose or use personal customer information for any purposes other than those agreed upon, and to communicate any changes in data protection policies or measures to customers directly.
This disclosure provides an evaluation of the success of management systems and procedures relating to customer privacy protection.
Bibliography
This section lists authoritative intergovernmental instruments used in developing this Standard.
Authoritative instruments:
- Organisation for Economic Co-operation and Development (OECD), OECD Guidelines for Multinational Enterprises, 2011.