Privacy

We have rolled out a comprehensive Privacy Framework across Nokia, and to improve awareness and understanding of privacy requirements throughout the company, we have rolled out mandatory privacy training for all employees. In 2024, the mandatory training completion rate was 98%. 

Given the rapidly changing privacy regulatory landscape, we apply a comprehensive company-wide privacy program to ensure accountability for privacy at all levels of Nokia. We use a ‘Three lines of defense’ risk model with business groups and corporate functions forming the first line of defense. A multi-skilled central team of privacy experts forms the second line, and an independent audit team forming the third line, to provide assurance with oversight by the Audit Committee. 

We have established the practice of having a privacy steering committee with relevant senior executives representing business groups and central functions, who all have privacy responsibilities and accountability as part of their role for the organization they represent. Privacy updates are also regularly provided to Nokia’s Board of Directors and to the Audit Committee.  

The Privacy Program builds privacy into our processes, products, and services. We have established core principles based on relevant laws and best practices to enable us to exercise the highest standards of integrity in dealing with and protecting personal data. We assess new privacy laws to ensure that we implement the requirements into our program and related processes. We have matured our central solution for documentation and reporting to catalogue how we use data and conduct privacy assessments that aim to mitigate privacy risk. 

We are transparent about how we use personal data and how individuals can contact us with questions about their data that we hold in our systems or to share any concerns. We observe the concept of data minimization, meaning we endeavor only to collect personal data that is necessary for the purposes for which it is collected and to retain such data for no longer than is necessary.  

We implement appropriate controls to ensure that only persons with a clear and justifiable need to know can access personal data. We also have formal processes and procedures in place to manage and mitigate any risk related to data subjects in the event of a personal data breach. These processes also include mechanisms to communicate in a timely fashion with supervisory authorities, should that be required. 

In 2023 we initiated a review dedicated to ensuring that privacy by design is built into our products and services.  We also launched a new central privacy hub on Nokia.com to ensure we are transparent and share our privacy principles and privacy notices. We updated our process for receiving data subject access requests. 

A continuous program of privacy awareness, training, and enablement ensures we effectively address areas of the highest privacy impact. This includes targeted role-based training, and a network of certified privacy professionals that regularly provide coaching on privacy topics.  

For the latest information on our privacy approach visit our website.

Contributing and driving security standards

We take an active role in security standards such as GSMA SECAG which defined NESAS (security assurance scheme for networks), GSMA Fraud and Security group, 3GPP SA3 (defining security standards for 5G), in ETSI and others. The development and maintenance of our products and services are sustained by a company-wide Information Security Framework to reduce business risks by protecting and managing information in a consistent way, protecting Nokia’s customer data, and enabling transparency and accountability with respect to the handling of all information: 

• Our security controls and processes follow the ISO/IEC 27001 standard and NIST Cybersecurity Framework to ensure we identify and detect security threats and risks to our systems 
• A critical information protection program protects Nokia’s and its customers’ information 
• Our security awareness program drives cultural knowledge of security best practices and avoids potential threats to Nokia’s information 
• A Third-party Security Risk Management process for Nokia suppliers ensures supply chain security and complies with legal and regulatory requirements 
• Continuous internal and external auditing and external and internal simulated attacks activities validate the security implementation 
• ISO/IEC 27001 certifications for selected sites assure security compliance is attained. The scope of the certification is continuously expanded