With today’s exponential increase in digital uses, personal data protection and information security are key issues. Tech companies are expected to provide greater data protection, transparency on how data might be used, and information in the event of any compromise. As a major service provider in Europe, Africa, and the Middle East, we are aware of our responsibilities as a trusted partner and prioritize this strategic issue at the highest level of the Group.
What do we mean by personal data protection?
As their online activities increase, users are sharing more information, often confidential or sensitive, exposing them to increased risks of identity theft, fraud, or privacy breaches.
Personal data is anything relating to your identity (name, email address, telephone number, address, etc.), payment methods (bank details, credit card numbers, etc.), location, logins, and passwords. It doesn’t matter whether you’re an Orange employee, customer, or service user, this data circulates on our networks and in our information systems. .
Our responsibility is to protect it, to align with our purpose: “As a trusted partner, Orange gives everyone the keys to a responsible digital world”, which guides all our decisions
A strategic priority for the entire Orange Group
Our Lead the Future strategic plan underlines our ambition to protect customers’ data, and it is one or our key CSR pillars.
We’re committed to respecting data rights, in accordance with local and international regulations, giving everyone the right to control what data is processed by Orange. This also means being transparent about how we use this data during all stages of the customer relationship.
Data security is an absolute priority that involves the entire Group, our partners, and our suppliers. We call on our cybersecurity specialists, but all employees contribute and ensuring our security policies are adhered to is overseen at the highest level by the Group’s leadership teams.
What measures does Orange implement to protect personal data?
We comply with the legal frameworks in force in the countries where we operate, such as the EU General Data Protection Regulation (GDPR) and national laws resulting from the EU Digital Agenda. A specific “Personal Data Protection” policy has been defined for the Group and applies both internally and with all of the Group’s partners or service providers.
We have set up various committees and a network of Data Protection Officers and “personal data” representatives to support our projects and guidelines on protecting personal data are shared with all employees.
The latest compliance status is presented to the Executive Committee, which reports to the Board of Directors.
How does Orange guarantee effective security and risk management?
Our Group Security Policy defines our main principles in line with our strategic objectives. It applies to all of our geographies and activities and complies with international and national laws and regulations.
The policy encompasses precise risk and threat management to meet the needs of our customers, and the requirements set by regulators and authorities, in particular when it comes to personal data protection and network resilience.
Our security governance is based on international standards, such as ISO 27001 for information security and ISO 27005 for risk analysis. These standards enable us to ensure all entities comply with strict security rules outlined in a common framework set by the Group.
How this security policy is implemented is closely monitored, and this is presented twice a year to the Executive Committee, which reports to the Board of Directors.
How does Orange control its own cyber risk?
Our Cyberating tool enables us to continuously assess our own cyber risk. It assigns a rating from A to F to entities based on their actual exposure and action plans implemented in accordance with the Group’s policy. It analyzes website vulnerabilities, strong encryption, IP reputation, email protection, and data presence on the dark web. We are aiming for a “B” grade in 2024 and an “A” grade in 2025 for our overall score and will document the results.
Protecting personal data and securing information is everyone’s responsibility at Orange
We raise awareness, train all Group employees, and recruit experts within our Orange Cyberdefense subsidiary to handle the increasing threats and developments in the high tech world.
We have an ambitious recruitment agenda, with 600 cybersecurity experts recruited in 2023 within Orange Cyberdefense.
We’re committed to training employees so that security becomes an inherent part of working for Orange. Our “Cyber Ready” program for all our employees includes modules on cyber threats and security measures. Our intranet hosts the employee data protection guideline, internal Group data protection policy, and a general guide on the protecting personal data in five languages.
We have achieved several certifications attesting to the quality of our security measures for the Group’s assets and those of our customers.