Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 262 report information sustainability report Governance review review statements Annual Report 2022 ESG: Governance (continued) Managing data privacy, security and resilience We have strict policies to protect privacy and keep data secure. Barclays provides a public mailbox and As Barclays accelerates the migration of Data privacy secure channels via its website to enable digital services to the cloud, we apply the Most of the jurisdictions in which Barclays individuals to make their privacy requests same design principles that underpin our operates have privacy and data protection and receive responses from a dedicated existing control environment. We have laws in effect. While these may vary in team. strong controls and monitoring in place detail, generally they reflect internationally designed to secure cloud-hosted data and Barclays requires its suppliers to comply recognised privacy principles found in the maintain its integrity. with data protection and privacy laws, UN’s Universal Declaration of Human regulations and standards relevant to the Rights, the European Convention on Barclays has continued to take steps in jurisdictions in which they operate and Human Rights and the European Union’s 2022 to address the security of data we relevant to any transferred personal data. Charter of Fundamental Rights. share with third parties, including Our requirements are set out and conducting remote and on-site We strive to operate in accordance with managed through the Barclays Supplier inspections with certain suppliers to review these standards and recognise that Control Obligations, available online, which their controls against contractual respect for privacy rights is a key element look to provide assurance that all new and obligations and industry standards. A Third of good corporate governance and social existing suppliers commit to ensuring Party Service Provider Framework is in responsibility. We strive to be transparent personal data shared with them is place which sets out control requirements about our use of personal information safeguarded and respected throughout for business units to manage the when delivering our products and services the supply chain. operational, reputational, conduct and and acknowledge the responsibility we legal risks to Barclays through its supply have for safeguarding privacy. Data security chain. As Barclays increasingly adopts digital In 2022, we continued to strengthen our As we have transitioned to a more hybrid solutions to deliver next-generation data security policies and controls to working model, we have augmented the consumer financial services, we appreciate protect Barclays' sensitive information and education we provide to colleagues and our clients, customers and others may the data that has been entrusted to us by strengthened the monitoring of how have concerns about the use of their customers and clients. customer and client data is accessed and personal information. A globally applicable Barclays assesses its cybersecurity used to help minimise the risk of Barclays Data Privacy Standard sets out programme against the industry- exploitation or leakage. what is expected of all Barclays businesses recognised National Institute of Standards and functions when collecting, using and and Technology (NIST) Cyber security Data resilience sharing personal information. Framework, and we have adopted the The Barclays CSO has a set of To promote clear accountability, the extended Financial Services Sector Profile. preventative key controls that mitigate Standard includes the requirement for During 2022, we have continued to deploy cyber-related risks. These focus on each business to appoint an accountable automated controls which work to understanding internal and external executive who has ultimate responsibility threats and delivering our capability to discover data that is highly sensitive that for the processing of personal data within needs to be protected in line with our counteract them. Large-scale data that business. An agreed assurance standards. corruption is one cyber threat on which we programme measures compliance with are focused. the Data Privacy Standard. Barclays Major risk events have been seen in other colleagues must complete annual privacy organisations and Barclays is focused on training which is reviewed and refreshed continuously reviewing and improving our each year, with additional tailored training response and recovery plans in provided as necessary. The Group Data preparation for these evolving threats. Our Protection Officer (DPO) reports on data teams use intelligence to create plausible privacy issues to the highest level of cybersecurity and data compromise management. scenarios which we simulate to help us Through customer and employee privacy focus on continuous improvement. notices, we endeavour to explain clearly and openly how and why we use personal information and the legal grounds we rely on. When we receive complaints we seek to address them fairly. Several jurisdictions also provide individuals with specific rights, such as the right to have access to or request deletion of their personal information.