All companies are supposed to have an obligation to protect the integrity and confidentiality of their employees’ data. Consequently, they must exercise the controls necessary to ensure an effective balance between the nature of the data and the risks associated with access to it and its processing, storage, and transmission. For global organizations such as Kraft Foods Inc., the controls must also make certain that the company complies with the data privacy rules that are in place in all the countries where it operates. To understand how Kraft currently protects its employee data, it is necessary to review how it functions now and turn to its Data Transfer Agreement required by the European Union’s laws. This paper proves that the processes, systems, and formal arrangements implemented by Kraft provide the security and privacy of personal data of its employees.
First of all, it is important to note that what was known as Kraft Foods Group, Inc. is now known as Kraft Heinz. According to PotatoPro (n.d.), first, the company’s name was changed from Kraft Foods Global, Inc. to Kraft Foods Group, Inc. in 2012, and it was a sub-company of Mondelēz International until October of the same year. This is when Mondelēz International spun off Kraft Foods Group, which led to it operating as an independent organization. In 2015, it merged with Heinz, and Kraft Heinz was formed. It owns many iconic brands, among which are Jell-O, Kool-Aid, and Oscar Mayer.
The CISO Position
Security is deemed one of the main business functions of Kraft Heinz. According to Jen Low (2020), Ricardo Lafosse, Chief Information Security Officer (CISO) at the organization, states that the violation of its cybersecurity could affect all its operations and have cascading effects across the supply chain. Lafosse’s position was created in 2002, and the person holding it is responsible for the support of the development, application, maintenance, and improvement of all security-related activities at Kraft, especially ones pertaining to IT (Wright and Kakalik, 2007). As per Wright and Kakalik (2007), the CISO’s functions also include the enhancement of the company’s information security culture and the assurance that Kraft’s general information security strategy aligns with its business needs. To do this, the CISO regulates user access services, controls the company’s risk profile, guarantees audit compliance, and monitors security management across all Kraft’s geographic regions.
The European Union Directive on the Protection of Personal Data
As a global organization, Kraft must obey the laws of all countries in which it runs operations. These include a number of countries within the European Union (EU), which is known for its strict rules governing the confidentiality of personal data. According to Wright and Kakalik (2007), particularly notable is the European Union Directive on the Protection of Personal Data, which became effective in 1998. The document has the prevention of its numerous requirements from being evaded outside of the EU as its aim. To do that, the Directive allows personal data’s transmission to or processing by an organization in a non-EU country only if an appropriate level of protection can be provided (Wright and Kakalik, 2007). To comply with it, a Data Transfer Agreement was concluded between Kraft and all its operating units in the EU member states. In accordance with the Agreement, certain HR information can be transferred from the Kraft organizations in the EU to Kraft Foods in the United States in the name of global HR processing.
Through the CISO, an extensive information systems governance structure was developed, improved data security practices were introduced, and a strategy for the future was created. Risk reduction initiatives, including vulnerability and threat analyses, were also launched (Kraft Heinz, 2018). Moreover, as per Kraft Heinz (2018), risk management software is regularly used to evaluate individual systems risks, identify between-systems risk factors, register risk correction activities, and warrant compliance with codes of practice. Additionally, Kraft began to shift to standardized systems platforms and architectures to improve data security. While the organization’s North American HR system continued with UPPS, all international ones were turned to the SAP HR system.
When it comes to specific security measures, both systems – UPPS and SAP HR – require user IDs and passwords, and both systems use employee IDs to identify users. No one is allowed to let unauthorized persons use their login credentials, and everyone is warned to keep all passwords secret (Kraft Heinz, 2018). Passwords are forcibly changed every forty five days, and if one’s account has not been accessed within sixty days, it is locked. Those who quit working at Kraft have their accounts disabled the day they leave. According to Kraft Heinz (2018), access to and use of the UPPS and SAP HR systems are limited to those parts of the systems that are directly linked to an employee’s duties. Each person requesting access to UPPS or SAP HR must complete an access request form, which requires the one’s name, ID number, title, function, and organizational aspect. The form must be signed by an employee, an employee’s manager, an HR manager, and the Security Administrator at Kraft.
In conclusion, Kraft puts a lot of effort in protecting personal data of its employees. To ensure it abides by the laws of the European Union, in which it has operating entities, the company complied with the EU Directive’s privacy requirements and concluded the Data Transfer Agreement. Furthermore, Kraft established the position of CISO, who is responsible for all activities related to security at the organization. In addition to that, all possible measures have been taken to ensure it is nearly impossible to get unwarranted access to employee data. In this way, Kraft confirms its position as a giant in the market and proves it can remain one for years to come.
Jen Low, J. (2020). Kraft Heinz on securing complex, connected FMCG supply chains. Tech HQ. Web.
Kraft Heinz. (2018). General data protection policy [PDF document]. Web.
PotatoPro. (n.d.). Kraft Foods Group Inc. Web.
Wright, M. A., & Kakalik, J. S. (2007). Information security: Contemporary cases. Jones and Bartlett.