Sustainability Report 2021 GRI GRI 418 03.2 Cybersecurity 01 Introduction 03.2.1 Data privacy Our group-wide privacy program continues to Privacy risk management 03.2.2 Data ethics Protecting our customers and their data mature as we aim to provide services digitally We identify and manage privacy risks at the Allianz values data as a key asset and strives to 02 Measuring and through our Digital by Default approach. operational process level to ensure they are position itself as a leading player in leveraging managing sustainability and maintaining trust in our processes The program includes embedding robust privacy measured, monitored and mitigated across our data in the most compliant and ethical way, are high priorities. Our customers, controls – such as privacy impact assessments and core businesses. Privacy Impact Assessments both as insurer and investor. We set up the Allianz 03 Strengthening employees and other stakeholders data ethics assessments – monitoring activities by (PIAs) of high exposure processes that use Data Ethics Project in response to the increasing our foundation expect their personal information creating a privacy-focused culture and the Allianz personal data, such as customer health data and regulatory initiatives and public debate on data 03.1 Corporate citizenship Digital Privacy Guidelines. This builds on the employee data, enable the early identification of ethics and Artificial Intelligence (AI) worldwide to 03.2 Cybersecurity to be treated with the utmost care Allianz Privacy Framework which provides: risks to ensure they are managed appropriately. strengthen the internal governance framework for 03.3 Regulatory and public affairs and we take this responsibility • a global standard for data privacy (the APS); In 2021, we developed a global privacy ‘blueprint’ AI and position Allianz in the regulatory field. 03.4 Compliance extremely seriously. • a Privacy Impact Assessment and risk of risk scenarios and control to support local 03.5 Tax transparency management process; compliance efforts with the APS across the entire In 2021, we established a Data Advisory Board 03.6 Sustainable procurement We are committed to protecting customer privacy Allianz Group. The blueprint provides a tool for (DAB) which covers data ethics and selected and we cooperate closely with other stakeholders • integration with Information Security identifying data privacy risks in local business data-related topics on a more permanent 04 Climate-related involved in the update and modernization core functions; processes and addressing those risks by mapping basis. The DAB consists of representatives from financial disclosure of European privacy legislation including • data privacy and protection monitoring them to standard controls. This does not replace operating entities and functions including industry associations, members of parliament activities; and existing compliance requirements under the APS Data Analytics, Data Architecture, Privacy and 05 Our universal principles and authorities. to conduct PIAs, rather it is a tool to supplement Regulatory Affairs. Its objectives are to: • training for employees on the appropriate • elevate data ethics and selected data and Strengthening our global processing of personal data belonging to existing data privacy compliance efforts and analytics-related topics in the governance and privacy framework customers, employees and third-party partners. help operating entities analyze and identify data decision-making processes of Allianz Group; The Allianz Privacy Standard (APS) is our global We monitor privacy governance activities and privacy risks in their business processes. standard for data privacy. It defines rules and processes across our operating entities through a We also commit to ensuring that adequate and • position Allianz as a leading insurer and principles for collecting and processing personal robust process which includes site visits, reviews of effective controls are in place to address data investor in the ethical and effective usage of data. The standard sets out six privacy principles program documents, interviews and expert privacy risks associated with the processing of data and Artificial Intelligence/Analytics; and that all employees must respect wherever they challenge calls. During the pandemic, site visits personal data by external suppliers on behalf of • support the overall sustainability efforts and are in the world: due care; purpose specification; were replaced by virtual meetings without any Allianz. In 2021, we developed new controls across activities of Allianz Group. reasonable limitation; transparency and openness loss in efficacy. We are now conducting activities the supplier life-cycle along with guidelines for In addition, the newly developed Allianz Practical towards employees and customers on where in-person as conditions allow. Despite travel supplier management which supplement the APS Guidance for AI was rolled out in various personal data is stored and used; choice and restrictions, at least 14 reviews were undertaken and are a mandatory part of the Allianz Privacy operating entities, accompanied by a dedicated consent; and privacy by design. in 2021. For comparison, 11 and 10 reviews were Framework. These controls are embedded in the communication and training program for The APS is accepted by our data protection undertaken in 2020 and 2019 respectively. Allianz Group Integrated Risk and Control System relevant employees. Privacy and Ethics Impact authority as our Binding Corporate Rules (BCRs). catalogue and Protection and Resilience Control Assessments were introduced to identify and These BCRs allow Allianz Group companies to catalogue to ensure close alignment between the address AI-specific risks. With these measures, lawfully transfer personal data from within the data privacy, operations and risk functions. data scientists, business and control functions European Economic Area to other jurisdictions, dealing with AI solutions are supported to embed where it is required for business purposes. We also ‘Ethics by Design’ in our organization and oversee publish a Privacy Notice which clearly states the challenges and risks in the area of AI. type of information we collect. 59