Kraft foods Inc.:Protecting Employee Data

Team 2 (LACASA): Balu G, Subrahmanya Hegde, Shrividya, Manpreet, Chandan Tiwari

Overview

Kraft Foods Inc. is the largest confectionery, food, and beverage corporation headquartered in the United States. It markets many brands in more than 155 countries. 11 of its brands annually earn more than $1 Billion worldwide: Kraft, Cadbury, Oscar Mayer, Maxwell House, Nabisco, Oreo, Philadelphia Cream Cheese, Jacobs, Milka, LU, and Trident. 40 of its brands are at least 100 years old.

The company is headquartered in Northfield, Illinois, a Chicago suburb. Its European headquarters are just outside Zürich, Switzerland.

The company's core businesses are in beverage, cheese and dairy foods, snack foods, confectionery, and convenience foods.

1/12/2011 2

Brands & Revenue

70 additional brands have revenues greater than $100 million. In total, 40 brands are at least 100 years old. It employs a workforce of about 98,000 individuals;

approximately 45,000 in the United States, and 53,000 in 65 countries around the world, including 14 European Union (EU) states (Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom).

The Company’s revenue was USD 40.4 billion in 2009.

Kraft Dinner, Oscar Mayer, Maxwell House ,Nabisco, Jacobs, Côte d'Or, Milka, LU, Vegemite, Cadbury, Trebor, Poiana etc.,

Kraft lists its own major brands, each generate revenues exceeding $1 billion.

1/12/2011 3

The Problem

Protect the confidentiality and integrity of their employees’ personal data

Address the risk involved in accessing, processing, storing and transmitting such data across various geography and abide by the laws and data privacy regulations of countries in which company operates

Same time have centralized data of employees so that it can provide compensation and benefits comply with different tax and labor regulations and operate effectively and competitively.

1/12/2011 4

Sub-Problems

Collecting and Consolidating 98000 workforce data from more than 155 countries

Handling multiple payroll system and integrating data at UPPS

Multiple levels of access and security controls over the data for employees and HR Professionals based on the job requirement

Different logon credentials for UPPS and SAP HR systems

1/12/2011 5

Protecting Employee Data

The EU directive has two main objectives: To protect individual rights – Privacy of Personal data Promote free flow of such data between EU Member States

For this, EU Directive has established several requirements; Data must be processed fairly and lawfully- collected and processed

for explicit & legitimate purpose for a particular period it requires not more than that

Individual must be informed in advance the purpose, organization and obligation to provide the data belonging to them, right to access the data & correct if inaccuracies

Data processed only if the individual is given a clear consent/approval Appropriate technical and organizational controls must be put in

place protect such dataTo prevent these requirements from being circumvented outside of the EU, the directive allows personal data to be transferred to, or processed by, an organization in a non-EU country only if “an adequate level of protection” can be ensured.

1. HOW DOES THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA IMPOSE REQUIREMENTS ON ORGANIZATIONS IN NON-EU COUNTRIES?

1/12/2011 6

Protecting Employee Data

Data Transfer Agreement was legally established between Kraft Foods International Inc., and all of its operating entities in the EU member states.

This allows certain HR information to be transferred from the Kraft companies in the EU to Kraft Food Inc., in the United States for the purpose of global HR processing. The mandatory data protection principles clearly specified: Data restricted to employee identification data & compensation

benefits Data disclosed only to HR & IT personnel who requires to process All individually contractually bound to respect privacy Data would be stored no longer than necessary for HR process Employees at EU Member states must be informed purpose of the data

processing EU Employees have the right to access and correct data relating to

them Technical and Organizational Security measures must be enacted by

Kraft foods Inc., in the USA to protect the privacy of personal data

2. HOW DOES KRAFT COMPLY WITH THE EU DATA PRIVACY REGULATIONS GOVERNING THE PROTECTION OF EMPLOYEE DATA?

1/12/2011 7

Protecting Employee Data

Define personal/consumer data or data to be protected

Mechanism to track who is accessing the data

Mechanism to backup and recovery for a period

NDA for people who are accessing data outside

Identify people who are accessing the data individually

Isolate the network/people/machine from the rest to have better control

Provide physical security to the assets associated with the data

3. THE EU DIRECTIVE REQUIRES “APPROPRIATE TECHNICAL AND ORGANIZATIONAL CONTROLS” TO BE IN PLACE TO PROTECT THE CONFIDENTIALITY AND INTEGRITY OF PERSONAL DATA. HOW CAN AN ORGANIZATION DETERMINE WHETHER ITS SECURITY CONTROLS ARE APPROPRIATE?

1/12/2011 8

Protecting Employee Data

UPPS

User ID – Social security number

Password No access to

employee’s job responsibilities

All passwords are to kept private

SAP HR

Defining and enforcing the account administration policy User ID – randomly generated

number Password No access to employee’s job

responsibilities Change in password for every

forty five days Account is locked if it is not

accessed in 60 days Account are disabled if not an

employee of Kraft

4. WHAT USER ACCESS CONTROLS THAT ARE IN PLACE FOR THE UPPS AND SAP HR SYSTEMS?

1/12/2011 9

Protecting Employee Data

Need to Know – Each employee needs to know the username & password to login systems.

Least Privilege – users are granted the least privilege necessary to perform authorized task. All the access to HR data is restricted to the fewest number of data fields possible, for the shortest time necessary, to carry out job responsibility.

Mandatory Access Control – Allows employees to view paychecks, confirm their personal information via web site which uses username & password to access it. But users are prohibited from allowing unauthorized individual to use their login credentials.

Role-Based Access Control – Based on the employee’s job responsibility, access to and use of the

UPPS & SAP HR system are restricted to only those portion of system that are directly related to the employee’s job responsibility.

Employees who are promoted, transferred or change jobs within organization have there access privileges adjusted.

5. HOW DOES KRAFT IMPLEMENT THE FOLLOWING ACCESS CONTROLS: NEED TO KNOW; LEAST PRIVILEGE; MANDATORY ACCESS CONTROL; AND ROLE-BASED ACCESS CONTROL?

1/12/2011 10

Protecting Employee Data

Employee’s Identification & Contact Information Name Address Telephone Number Education Employment Duration Current Position in the

organization SSN Age/Date of Birth Salary/Job Grade

Compensation & Benefit Data Assessment Performance Rating Development Plans Training

6. IDENTIFY AT LEAST TEN EXAMPLES OF SPECIFIC HR DATA THAT ARE SENSITIVE AT KRAFT FOODS INC.

1/12/2011 11

Protecting Employee Data

To increase employee’s awareness of data security and ethical conduct

To describe Kraft’s standards and expectations for acceptable employee behavior

The code of conduct was made available online to employees and all Managers were given a printed copy

The summarized Code Overview was made available in 29 languages and a printed copy was distributed to every employee below the level of Managers

Web Based training to help employee understand the code of conduct policies

7. WHAT IS THE PURPOSE OF KRAFT’S CODE OF CONDUCT FOR COMPLIANCE AND INTEGRITY? HOW IS THIS INFORMATION DISTRIBUTED TO KRAFT EMPLOYEES?

1/12/2011 12

Protecting Employee Data

User IDs and passwords are required for UPPS as well as SAP HR. User ID should be randomly generated number Currently UPPS employee ID is Employee’s Social Security Number and

SAP HR uses randomly generated number for employee logon

Purpose of moving away from social security number

To better protect the employee’s rights to privacy SSN number has a lot of employee information

available to the organization which might not be needed

To improve consistency between the UPPS and SAP HR systems

8. WHY IS KRAFT MOVING AWAY FROM THE USE OF EMPLOYEE SOCIAL SECURITY NUMBERS FOR USER IDENTIFICATION ON UPPS?

1/12/2011 13

Protecting Employee Data

To View Paychecks – to know their monthly payment details, tax deductions, etc . With this access, the right data is provided to right people at the convenience of employee’s time. Being it online and self service, employees can access their personal details anytime they need.

Confirm Personal Information – employees are allowed to review and update their personal information whenever there is a change such as addition of a family member, change in address, etc. This reduces the time and effort of HR in collecting, maintaining and tracking the updated employee personal information.

Access Credit Union Accounts – provide add-on services to view their credit union account transactions if any.

Make Travel Arrangements – with the travel arrangement incorporated into the same online system, the personal data can be used for the travel arrangements instead of maintaining duplicating the details at different location.

File Expense Reports – whenever an employee settles their expense reports through the single web system, all other personal and pay information is readily available to the employee for the reporting. For the Company, it eases the effort required to maintain different systems for payroll, travel and expense.

The web system can also be used to communicate the employee performance details if they integrate the performance evaluation tool with the existing service.

9. THROUGH THE UPPS, KRAFT PROVIDES ITS EMPLOYEES ONLINE ACCESS TO THEIR OWN EMPLOYEE DATA. WHY WOULD KRAFT DO THIS?

1/12/2011 14

Protecting Employee Data

First and foremost, SAP HR is being used internationally across 65 countries however UPPS is pre-dominantly used only in North America.

 With the movement to SAP HR, Kraft will by default adhere to all necessary required EU directive data privacy requirements.

 Managing one single HR system for all its HR operations, helps Kraft to reduce effort, resources needed to manage 2 systems

 By using one worldwide system, data processing will be simple and easy to handle. All the other international systems can be linked along with the north American system giving access to needed employee information without any delay.

 Consistency in data collection, gathering and distribution processes can be maintained if SAP HR system is used globally.

 SAP HR system has better data privacy restrictions than UPPS systems.

10. WHY WOULD KRAFT WANT TO MOVE ALL OF ITS NORTH AMERICAN HR TRANSACTIONS FROM UPPS TO SAP HR?

1/12/2011 15

Additional Question

Describe the risk mitigation plan and business continuity plan in the event of Kraft becoming independent organization?

Background :In November 2004, the chairman & CEO of Altria Group Inc., announced that Altria is looking out to potential break up of the company., since then there is speculation that Altria may spin off Kraft Foods Inc., Allowing Kraft to become an independent company once again.

1/12/2011 16

THANK YOU!!!