Data privacy policy, including policies and practices regarding customer information

Our Global Privacy and Data Use Policy addresses Nielsen’s collection, use, disclosure and retention of data about unique individuals. The policy is generally applied to all Nielsen services, processes and technologies—whether client-facing or internal—that utilize individual-level data, including during the development or assessment of new processes or technology, as well as by all Nielsen affiliates, subsidiaries, majority-owned joint ventures, associates and contractors. The importance of protecting data privacy and security is also emphasized in our Supplier Code of Conduct. 

The Global Privacy and Data Use Policy is organized around a set of high-level principles: privacy by design, trust and accountability, notice, choice, data quality, data minimization, limited use and retention, access and correction, children’s data, cross-border transfers of data, transfers of data to third parties, and data security.

Additionally, Nielsen Marketing Cloud is a member of the Digital Advertising Alliance (DAA), the Network Advertising Initiative and the European DAA and adheres to the privacy codes of conduct of these organizations applicable to online advertising enablement, which the rest of Nielsen does not perform. We also prohibit our clients from identifying individuals with the data we provide them, or from using our data to make decisions relating to employment, housing, credit or insurance.

See our full Privacy Statement for more detail.

Management approach to data privacy, including programs, compliance and employee training

For consumers to willingly share information with us, they have to trust us. We therefore take seriously our commitment to keeping all personal and confidential data private.

Our approach to privacy centers on minimizing an individual’s identifiability within our processing operations to the greatest extent possible, while still observing sound data science and market research methodologies to extract research insights from individual-level data. Much of the data we use is masked or pseudonymized in various ways within our systems to protect individuals from direct identification, and we have controls in place to prevent individuals from being reidentified from data provided to our clients. We follow an approach of “privacy by design” to ensure that our privacy principles—which align with globally accepted fair information practices—are embedded in the design of our products and services during the development stage.

Where we perform measurement of the general public or our services support interest-based advertising, we do so using anonymized or pseudonymized data. We maintain extensive privacy notices on the Privacy page of our website describing the various types of data collection and use in which Nielsen engages, and we provide the public with instructions for how to opt out of our measurement products. 

Our privacy compliance program consists of:

• Policies and procedures to implement legal requirements and give effect to individual rights under privacy laws;
• A dedicated team of experienced privacy professionals to provide oversight and expertise;
• Privacy and security training for all employees, along with ongoing communications on specific topics;
• Embedding privacy by design into our products and services;
• Security and contractual controls to limit our employees’ and service providers’ access to personal data in our systems by role, and to limit onward transfer of personal data handled on our behalf;
• Response procedures to deal with data security incidents or other issues; and
• Continuous review and improvement of all aspects of our program.

See our full Privacy Statement for more on our data privacy approach, including notifications on data we collect and methods for communication to and from data subjects. 

We investigate complaints regarding our privacy and data use practices and take remedial action where appropriate. Any Nielsen associate who receives a privacy-related complaint must escalate it to Nielsen Privacy. The general public can reach out via a dedicated email address for privacy inquiries. As stated in our Nielsen Code of Conduct, we take all violations of our Code seriously; this includes any violations of our privacy compliance program. If, following an investigation, a violation is found, Nielsen will determine the appropriate consequences in accordance with local laws, which may include disciplinary action up to and including termination. In the case of potentially illegal activities, the company may also refer the matter to appropriate authorities or pursue civil or criminal remedies.

As outlined in our Supplier Code of Conduct, we expect suppliers to implement similar policies and procedures to protect data privacy and security.

Governance of privacy and data security issues, including Board oversight

Privacy issues are managed by our Chief Privacy Officer, who works with a team dedicated to handling privacy compliance, with oversight from our Chief Legal & Corporate Affairs Officer. Data security, including cyber security, is overseen by our Chief Information Security Officer, who reports directly to our Chief Legal & Corporate Affairs Officer. 

The Chief Legal & Corporate Affairs Officer and Chief Information Officer report to the Audit Committee of our Board of Directors, which oversees internal risk management and data privacy issues. The Audit Committee receives updates at least quarterly from the Chief Information Officer on Nielsen’s information, technology and data protection security systems; its preparedness in preventing, detecting and responding to breaches; and any incidents and related response efforts. The Audit Committee is responsible for sharing these updates with the full Board.

Approach to data security and cyber security

Nielsen is committed to protecting the security of all client and consumer information. Our Cyber Security Program is grounded in internationally recognized data protection principles, and we use a variety of security technologies and procedures to protect client and consumer information. We deploy and utilize innovative custom-built and commercial solutions at a global scale. Nielsen’s Cyber Security Program aligns with the National Institute of Standards and Technology’s Cyber Security Framework, which includes five core functions: identify, protect, detect, respond and recover. 

Policy and governance: Nielsen uses a principles-based approach to deliver specific control areas within the Nielsen Cyber Security Policy. This policy defines the minimum set of controls that are necessary to uphold the company’s reputation and protect sensitive information. The policy is reviewed annually to ensure appropriate controls and implementation across the company. Controls within the policy are tiered, to ensure that appropriate protection is provided for every level of information classification. Nielsen’s information classifications are: public, internal, confidential and confidential-restricted.  

Governance for this policy includes:

• An annual review of implementation;
• Annual approval from the Chief Information Security Officer;
• Publication and translation into multiple languages;
• Regular updates as indicated by changes in technology, business requirements, regulations or industry practices; and
• Emergency policy reviews and releases as required.

We have a defined exception process in place for deviation from data security controls. The process requires a review of business justifications and impacts while considering additional or alternative mitigating controls before approval is considered. 

Risk management: The Cyber Security team focuses on identifying cyber security risks throughout business streams, educating the business owners of risks and providing consultation regarding requirements for alternative mitigations. Control attestations are completed to determine how implementation has occurred across specific services, products or business processes. The Cyber Security team maintains a constant feedback loop with our Chief Legal & Corporate Affairs Officer and other members of our senior leadership team to ensure we are continually testing the security of our environment and addressing any potential issues in a timely manner. We also undertake additional risk management procedures in the following special circumstances: 

• Contracts: In coordination with Legal, the Cyber Security team regularly reviews and provides recommended information security language for client and third-party contracts to include specific security control requirements where applicable, specialized reporting and response procedures in the event of an incident, self-certification procedures, and audit rights definitions.
• New product development: The Cyber Security team employs engineers and security architects who work side by side with infrastructure, networking and application development teams to embed security into the design of new products that are either purchased or built in-house. This coordinated approach allows teams to more easily identify risks based on the capabilities, features and use cases of the new products brought into our secure environment. 
• Acquisitions: The Cyber Security team engages with acquisitions and divestitures to ensure that security is established alongside the integration of acquired technologies and networks. The acquisition and divestiture processes include due diligence measures, integration requirements and other processes that ensure compliance with the Nielsen Cyber Security Policy. In the case of joint venture (JV) partners, we work with each JV to develop an internal Cyber Security Program based on our model, utilizing our policies, practices and procedures to satisfy cyber security requirements to our level of standard.  

Assessments of third parties who collect, process or store Nielsen confidential or confidential-restricted information: The Cyber Security, Legal and Procurement teams perform in-depth cyber security assessments on third-party security implementations and technology prior to adopting third-party solutions. Reassessments are conducted on a recurring basis. 

Insurance: Nielsen procures insurance for cyber security incidents with limits applicable to the anticipated risk.

Data security and cyber security threat detection

We use a Threat and Vulnerability Management and Penetration Testing program to detect new vulnerabilities and help assign priority to remediation. This program leverages a combination of appliance-based and software agent-based scanners to detect vulnerabilities across our operations. Where possible, we integrate tools for automation and to facilitate CI/CD (Continuous Integration/Continuous Delivery) processes. We have defined remediation periods based on the severity of findings, which in turn drives prioritization and the implementation of remediation actions. 

Nielsen contracts with leading security firms to provide penetration testing services for identified high-risk applications, which we supplement with our own internal penetration tests. We also conduct targeted Red Team exercises, utilizing third-party vendors and internal teams, to test the security of our environment holistically and ensure the safety of our applications and information. 

We operate a 24/7 Cyber Security Operations Center to respond to malicious behavior and identify incidents through monitoring, alerts and analysis of network activity, as well as through cyber intelligence findings.

We continue to invest in technology and enhanced processes to assist us in staying on top of threats facing our environment. Continual improvement of these capabilities includes periodic Red Team testing conducted by a third party. This testing provides visibility to improve technology capabilities, processes and procedures within the Cyber Security Operations Center.

Data security and cyber security training

Nielsen’s Code of Conduct—which all employees must certify knowledge of annually—sets expectations for employees to protect confidential information, defines examples of confidential information, stresses the prevention of unauthorized disclosure and provides links directly to our internal Nielsen Cyber Security Policy.  

All new employees are required to complete and pass cyber security fundamentals training within their first 30 days of being employed. 

We supplement the Code of Conduct information with ongoing training provided through newsletter articles, emails, social media posts, global broadcast events, panel discussions and guest speakers. Training topics include, but are not limited to, the following:

• Data protection principles regarding the use, protection, storage, transmission and disposal of confidential information, with specific focus on how certain data may not be used;
• Guiding principles of information security (confidentiality, integrity and availability);
• Physical security measures (facilities, devices, clean desk policy, printing and shredding);
• Preventing unauthorized access; 
• User ID protection and password requirements;
• Recognizing and reporting security incidents;  
• Managers’ role in cyber security; and 
• Phishing, including simulation and quiz-based training courses in multiple languages.

Cyber Security Awareness Month: Every October, we do in-depth training and awareness on cyber security issues. With multiple weekly events, Cyber Security Awareness Month gives employees and contractors the opportunity to participate in live, virtual or on-demand activities. 

Privacy and data security incident response

Nielsen has developed a robust incident management process to respond to a wide variety of cyber incidents globally. This process includes triage, investigation, evidence collection and storage, root cause analysis, and incident resolution with executive reporting.  

Cyber security incidents are responded to by the Nielsen Cyber Security Incident Response Team. This team maintains and oversees implementation of the Executive Cyber Security Incident Response Plan, which details the response framework, executive decision-making roles, prioritization and escalation of defined events, supporting procedures and response management. This plan includes specific subprocesses such as handling privacy breaches, communications and commercial legal incidents. The Incident Response Team maintains a global capability.

Data security breaches, customer privacy incidents and losses of customer data

In 2018 and 2019, Nielsen received a small number of complaints, all of which were either unsubstantiated or resolved directly with data subjects to their satisfaction.