Cover Image
Market Research Report


Published by Mobile Market Development Ltd Product code 632592
Published Content info 34 Pages
Delivery time: 1-2 business days
Back to Top
Published: May 2, 2018 Content info: 34 Pages

The introduction of GDPR and the EU e-privacy regulations on May 25 places much more stringent requirements on organisations to ensure that an EU customer's data is only used for purposes agreed to by that customer and is held securely. This applies to both the organisation providing goods or services to a customer and any others, whether located in the EU or not, that it has contracted to handle that data. The penalties for failing to meet these requirements can be very severe.

Most mobile operators have many millions of customers and hold extensive data on them, including personal and financial information, their contacts and patterns of behaviour, meaning that any breach could affect very large numbers of people. The nature of their operations means that this data is frequently held on a number of different databases, which often include a variety of systems, increasing the risks of a breach and also making them vulnerable to attack by criminal elements.

It is important that MNOs ensure full compliance with the spirit as well as the letter of the GDPR in order to minimise the risk of default and consequent penalties. They also need be sure that they have taken all feasible actions to mitigate the risks involved.

  • Even operators with no footprint within the EU will almost certainly possess data concerning EU residents, as they roam to other markets for example. Arguably, these operators could come within the remit of the GDPR.

This report looks at the experiences of operators that have suffered a major breach and examples of preparation for GDPR and assesses the likely readiness of the industry. It reviews the approaches being taken by a number of national data protection authorities in order to understand the likelihood of severe penalties being imposed in the early days of the regulations and the types of actions that will mitigate risk and the size of penalties.

Companies : TalkTalk, Orange (Belgium), Telenor, Telia, A1, Wind Tre, CNIL, BfDI, ICO, CPDO, GPDP, AP,

Countries : Global, EU, Austria Belgium, Czech Republic, France, Germany, Ireland, Italy, Netherlands, US, UK, Denmark, Estonia, Hungary,, Malta, Lithuania, Luxembourg, Latvia, Poland, Sweden, Slovenia,

Table of Contents

Table of Contents

1 Overview

2 Introduction

  • 2.1 Background to the Report
  • 2.2 Report Content
  • 2.3 Currency and Conversions
  • 2.4 Further Questions and Feedback

3 What GDPR & E-Privacy Means for MNOs

  • 3.1 Introduction
  • 3.2 Rationale & Principles Underlying GDPR & E-privacy.
  • 3.3 The requirements of GDPR & E-privacy
    • 3.3.1 GDPR
    • 3.3.2 International Scope of GDPR
    • 3.3.3 E-privacy

4 Regulators' Approach

  • 4.1 Introduction
  • 4.2 General Guidance
  • 4.3 France, CNIL
  • 4.4 Germany, BfDI
  • 4.5 Czech Republic, CDPO
  • 4.6 Italy - GPDP
  • 4.7 Netherlands - AP
  • 4.8 UK - ICO

5 Operator Experience and Good Practice

  • 5.1 Overview
  • 5.2 Data Breach and Recovery - TalkTalk's Experience
    • 5.2.1 Background
    • 5.2.2 The Security Breaches
    • 5.2.3 The Penalties
    • 5.2.4 Impact on Business
    • 5.2.5 The IT Recovery - Remedial Action and Preparation for GDPR
  • 5.3 Achieving Compliance - An EU Operator's Approach
    • 5.3.1 Policies
    • 5.3.2 The Customer
    • 5.3.3 IT and Security
    • 5.3.4 Third Parties
    • 5.3.5 Incentives and Measurement - Departmental Status
  • 5.4 Good Practice for Customers - Orange Belgium
  • 5.5 Telenor Group
  • 5.6 Telia

6 Findings and Conclusions

  • 6.1 Summary
  • 6.2 Implications for MNOs
  • 6.3 Approach of NDPAs
  • 6.4 Conclusions

7 Recommendations

Appendix - Feedback Questions

Back to Top