Transformative innovations—self-driving vehicles, combined with electrification and connectivity—are changing the nature of transportation and our relationships to the vehicles that move us.
As the automotive industry continues to mitigate risks in the physical world, such as crashes, emissions and congestion, new risks are emerging in the virtual world, including cybersecurity and privacy risks. Cybersecurity and data protection are critical to the digital transformation of the auto industry.
Software and connected services are key to GM’s vision of zero crashes, zero emissions and zero congestion, and with the increasing connectivity of GM vehicles, cybersecurity risks continue to evolve. Already, GM offers OnStar and connected services to more than 22 million connected vehicles globally through subscription-based and complimentary services. Safely and securely delivering these services has been possible due to a strong cybersecurity focus and priority throughout the company. GM’s organizational focus and oversight of cybersecurity is well-developed. This structure includes a dedicated Risk and Cybersecurity Committee of the Board, cybersecurity leadership tied directly to the CEO and Senior Leadership Team and a vice president of global cybersecurity who serves as a single-point senior executive. This vice president leads a dedicated organization that focuses on protecting against unauthorized access to vehicle safety systems and customer data.
Leveraging well-established risk frameworks and standards, GM is focused on cybersecurity risk throughout the entire company, including information technology and intellectual property protection, vehicle and connected services, manufacturing safety and operations, supply chain and third-party security, merger and acquisition risks and the secure integration of all new business models. Cybersecurity remains a core focus and a high priority at GM in the development of advanced driving features, semi and autonomous systems, in-market enhancements, connected services and many other software-defined services. Hardware and software protective measures are employed and a key focus of our Product Cybersecurity organization.
GM relies upon information technology systems and networked products, some of which are managed by third parties, to process, transmit and store electronic information, and to manage or support a variety of our business processes, activities and products. Additionally, GM collects and stores sensitive data, including personally identifiable information of our customers and employees, in data centers and across information technology networks. Robust privacy policies and processes are critical to protecting GM’s employees and customers, and our business.
The Privacy Center has a privacy program framework that focuses on policies, procedures, tools, guidance and training. This framework also includes a Privacy-by-Design program that requires all data-dependent initiatives to receive a privacy-focused consultation through their life cycle. The Privacy Center resides within our legal staff, and additional non-legal resources are leveraged on a functional, regional and product/program basis to instill best practices in a consistent manner across the global enterprise. In certain cases, external reviewers have been engaged to ensure use of industry best practices.
The goal of our collaborative privacy practice is to ensure that the collection, use and sharing of employee and customer PI is secure and compliant, and that it reinforces employee and customer trust and confidence. Our greatest resources in protecting PI are our employees and processes. Privacy compliance is part of GM’s annual Corporate Required Training (CRT), which emphasizes the importance of privacy to our business and the high priority the company places on employee and consumer privacy. In addition to GM’s annual training, the Privacy Center conducts awareness training on emerging privacy laws and regulations with key areas of our business.
Our Information Security program is aligned to the National Institute of Standards and Technology Cyber Security Framework and International Organization for Standardization (ISO) Standards and includes elements to protect the confidentiality, integrity and availability of information. We have a robust Information Lifecycle Management (ILM) Policy and record retention schedule that applies globally to all GM employees and other individuals or entities (e.g., contract workers, purchased services, etc.) that create or manage GM records. The ILM Policy requires that we properly retain only those records needed to meet business, fiscal and legal requirements. GM requires an online Privacy Impact Assessment to be completed, reviewed and approved by a Privacy Center member prior to the implementation of any new product, service or process, or any change to the foregoing, involving the use of PI. Additionally, Information Security Risk Management creates a PI risk score for systems containing PI. Systems with high risk are required to have additional information technology controls. We have instituted a cross-functional data export review process that evaluates the privacy, security and business risks of proposed data exports outside GM. Unless a proposed export is approved by the cross-functional team, it does not leave GM.
GM’s privacy statements are publicly disclosed on consumer-facing websites such as our corporate, vehicle brand and OnStar sites. We utilize an opt-in approach for the collection, use and sharing of consumer PI where legally required or appropriate, based on the nature of the data collected and its intended use. We also offer customers opt-out options where appropriate. GM complies with all privacy regulations, such as General Data Protection Regulation and the California Consumer Privacy Act. We honor data subject requests under these regulations, including requests to access, make corrections to and delete data. In addition, we do not allow the use of customer PI for secondary usage if it is not disclosed in the Privacy Statement or otherwise consented to by the customer. In 2021, we did not have any material customer privacy complaints.