CYBERSECURITY & PRIVACY CONT. are leveraged on a functional, regional and product/program basis to instill best practices in a consistent manner across the global enterprise. In certain cases, external reviewers have been engaged to ensure use of industry best practices. The goal of our collaborative privacy practice is to ensure that the collection, use and sharing of employee and customer PI is secure and compliant, and that it reinforces employee and customer trust and confidence. Our greatest resources in protecting PI are our employees and processes. Privacy compliance is part of GM’s annual Corporate Required Training (CRT), which emphasizes the importance of privacy to our business and the high priority the company places on employee and consumer privacy. In addition to GM’s annual training, the Privacy Center conducts awareness training on emerging privacy laws and regulations with key areas of our business. Privacy Practices Our Information Security program is aligned to the National Institute of Standards and Technology Cyber Security Framework and International Organization for Standardization (ISO) Standards and includes elements to protect the confidentiality, integrity and availability of information. We have a robust Information Lifecycle Management (ILM) Policy and record retention schedule that applies globally to all GM employees and other individuals or entities (e.g., contract workers, purchased services, etc.) that create or manage GM records. The ILM Policy requires that we properly retain only those records needed to meet business, fiscal and legal requirements. GM requires an online Privacy Impact Assessment to be completed, reviewed and approved by a Privacy Center member prior to the implementation of any new product, service or process, or any change to the foregoing, involving the use of PI. Additionally, Information Security Risk Management creates a PI risk score for systems containing PI. Systems with high risk are required to have additional information technology controls. We have instituted a cross-functional data export review process that evaluates the privacy, security and business risks of proposed data exports outside GM. Unless a proposed export is approved by the cross-functional team, it does not leave GM. Incidents GM has a robust process for employees to report an incident involving possible wrongdoing, a violation of GM’s Code of Conduct—Winning with Integrity, an IT or other cybersecurity event, PI incident or other concerns. This includes reporting through our toll-free GM Awareline hotline and a robust process for reviewing and investigating all alleged incidents. An employee who violates our Privacy Policy or Code of Conduct may be subject to discipline, including warnings, suspension with or without pay and/or termination of employment. GM also has a dedicated cyber intelligence team that continuously monitors publicly available information for cyber incidents or data spills that may impact GM or our suppliers. Customer Privacy GM’s privacy statements are publicly disclosed on consumer-facing websites such as our corporate, vehicle brand and OnStar sites. We utilize an opt-in approach for the collection, use and sharing of consumer PI where legally required or appropriate, based on the nature of the data collected and its intended use. We also offer customers opt-out options where appropriate. GM complies with all privacy regulations, such as General Data Protection Regulation and the California Consumer Privacy Act. We honor data subject requests under these regulations, including requests to access, make corrections to and delete data. In addition, we do not allow the use of customer PI for secondary usage if it is not disclosed in the Privacy Statement or otherwise consented to by the customer. In 2021, we did not have any material customer privacy complaints. Skip Navigation Introduction Reducing Emissions Design for Environment Technology Customers Safety Diverse Workforce Human Rights Supply Chain Communities Governance 2021 SUSTAINABILITY REPORT 110
General Motors Sustainability Report Page 110 Page 112