Kraft foods Inc.

:
Protecting Employee Data

Team 2 (LACASA): Balu G, Subrahmanya Hegde,

Shrividya, Manpreet, Chandan Tiwari
Overview
 Kraft Foods Inc. is the largest confectionery, food, and beverage
corporation headquartered in the United States. It markets many
brands in more than 155 countries. 11 of its brands annually earn
more than $1 Billion worldwide: Kraft, Cadbury, Oscar Mayer,
Maxwell House, Nabisco, Oreo, Philadelphia Cream Cheese, Jacobs,
Milka, LU, and Trident. 40 of its brands are at least 100 years old.

 The company is headquartered in Northfield, Illinois, a Chicago

suburb. Its European headquarters are just outside Zürich,
Switzerland.

 The company's core businesses are in beverage, cheese and dairy

foods, snack foods, confectionery, and convenience foods.

12/8/21 2
 Brands & Revenue
Kraft lists its own major brands, each generate revenues exceeding $1 billion.

Kraft Dinner, Oscar Mayer, Maxwell House

,Nabisco, Jacobs, Côte d'Or, Milka, LU,
Vegemite, Cadbury, Trebor, Poiana etc.,

70 additional brands have revenues greater than $100

million. In total, 40 brands are at least 100 years old.
 It employs a workforce of about 98,000 individuals; approximately
45,000 in the United States, and 53,000 in 65 countries around the
world, including 14 European Union (EU) states (Austria, Belgium,
Denmark, Finland, France, Germany, Greece, Ireland, Italy, The
Netherlands, Portugal, Spain, Sweden, and the United Kingdom).
 The Company’s revenue was USD 40.4 billion in 2009.

12/8/21 3
The Problem
 Protect the confidentiality and integrity of their
employees’ personal data
 Address the risk involved in accessing, processing,
storing and transmitting such data across various
geography and abide by the laws and data privacy
regulations of countries in which company operates
 Same time have centralized data of employees so
that it can provide compensation and benefits
comply with different tax and labor regulations and
operate effectively and competitively.
12/8/21 4
Sub-Problems

 Collecting and Consolidating 98000 workforce data

from more than 155 countries
 Handling multiple payroll system and integrating
data at UPPS
 Multiple levels of access and security controls over
the data for employees and HR Professionals based
on the job requirement
 Different logon credentials for UPPS and SAP HR
systems
12/8/21 5
 Protecting Employee Data

1. HOW DOES THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA

IMPOSE REQUIREMENTS ON ORGANIZATIONS IN NON-EU COUNTRIES?
The EU directive has two main objectives:
 To protect individual rights – Privacy of Personal data
 Promote free flow of such data between EU Member States

For this, EU Directive has established several requirements;

 Data must be processed fairly and lawfully- collected and processed for explicit &
legitimate purpose for a particular period it requires not more than that
 Individual must be informed in advance the purpose, organization and obligation
to provide the data belonging to them, right to access the data & correct if
inaccuracies
 Data processed only if the individual is given a clear consent/approval
 Appropriate technical and organizational controls must be put in place protect
such data
To prevent these requirements from being circumvented outside of the EU, the
directive allows personal data to be transferred to, or processed by, an organization
in a non-EU country only if “an adequate level of protection” can be ensured.
12/8/21 6
 Protecting Employee Data

2. HOW DOES KRAFT COMPLY WITH THE EU DATA PRIVACY REGULATIONS

GOVERNING THE PROTECTION OF EMPLOYEE DATA?
 Data Transfer Agreement was legally established between Kraft Foods
International Inc., and all of its operating entities in the EU member
states.
 This allows certain HR information to be transferred from the Kraft
companies in the EU to Kraft Food Inc., in the United States for the
purpose of global HR processing. The mandatory data protection
principles clearly specified:
 Data restricted to employee identification data & compensation benefits
 Data disclosed only to HR & IT personnel who requires to process
 All individually contractually bound to respect privacy
 Data would be stored no longer than necessary for HR process
 Employees at EU Member states must be informed purpose of the data processing
 EU Employees have the right to access and correct data relating to them
 Technical and Organizational Security measures must be enacted by Kraft foods Inc., in
the USA to protect the privacy of personal data
12/8/21 7
 Protecting Employee Data

3. THE EU DIRECTIVE REQUIRES “APPROPRIATE TECHNICAL AND

ORGANIZATIONAL CONTROLS” TO BE IN PLACE TO PROTECT THE
CONFIDENTIALITY AND INTEGRITY OF PERSONAL DATA. HOW CAN AN
ORGANIZATION DETERMINE WHETHER ITSdata
 Define personal/consumer SECURITY CONTROLS
or data to be ARE
protected
APPROPRIATE?
 Mechanism to track who is accessing the data
 Mechanism to backup and recovery for a period
 NDA for people who are accessing data outside
 Identify people who are accessing the data individually
 Isolate the network/people/machine from the rest to
have better control
 Provide physical security to the assets associated with
the data

12/8/21 8
 Protecting Employee Data

4. WHAT USER ACCESS CONTROLS THAT ARE IN PLACE FOR THE UPPS AND SAP
HR SYSTEMS? UPPS SAP HR

 User ID – Social security  Defining and enforcing the

number account administration policy
 User ID – randomly generated
 Password number
 No access to employee’s  Password
job responsibilities  No access to employee’s job
 All passwords are to kept responsibilities
 Change in password for every forty
private five days
 Account is locked if it is not
accessed in 60 days
 Account are disabled if not an
employee of Kraft

12/8/21 9
 Protecting Employee Data

5. HOW DOES KRAFT IMPLEMENT THE FOLLOWING ACCESS CONTROLS: NEED

TO KNOW; LEAST PRIVILEGE; MANDATORY ACCESS CONTROL; AND ROLE-BASED
ACCESS CONTROL?
 Need to Know – Each employee needs to know the username & password to login
systems.
 Least Privilege – users are granted the least privilege necessary to perform
authorized task. All the access to HR data is restricted to the fewest number of
data fields possible, for the shortest time necessary, to carry out job responsibility.
 Mandatory Access Control – Allows employees to view paychecks, confirm their
personal information via web site which uses username & password to access it.
But users are prohibited from allowing unauthorized individual to use their login
credentials.
 Role-Based Access Control –
 Based on the employee’s job responsibility, access to and use of the UPPS & SAP HR system
are restricted to only those portion of system that are directly related to the employee’s job
responsibility.
 Employees who are promoted, transferred or change jobs within organization have there
access privileges adjusted.

12/8/21 10
 Protecting Employee Data

6. IDENTIFY AT LEAST TEN EXAMPLES OF SPECIFIC HR DATA THAT ARE SENSITIVE

AT KRAFT FOODS INC.
 Employee’s Identification  Compensation & Benefit
& Contact Information Data
 Name  Assessment
 Address  Performance Rating
 Telephone Number  Development Plans
 Education  Training
 Employment Duration
 Current Position in the
organization
 SSN
 Age/Date of Birth
 Salary/Job Grade

12/8/21 11
 Protecting Employee Data

7. WHAT IS THE PURPOSE OF KRAFT’S CODE OF CONDUCT FOR COMPLIANCE

AND INTEGRITY? HOW IS THIS INFORMATION DISTRIBUTED TO KRAFT
EMPLOYEES?
 To increase employee’s awareness of data security and
ethical conduct
 To describe Kraft’s standards and expectations for
acceptable employee behavior
 The code of conduct was made available online to
employees and all Managers were given a printed copy
 The summarized Code Overview was made available in
29 languages and a printed copy was distributed to every
employee below the level of Managers
 Web Based training to help employee understand the
code of conduct policies
12/8/21 12
 Protecting Employee Data

8. WHY IS KRAFT MOVING AWAY FROM THE USE OF EMPLOYEE SOCIAL

SECURITY NUMBERS FOR USER IDENTIFICATION ON UPPS?
 User IDs and passwords are required for UPPS as well as SAP
HR. User ID should be randomly generated number
 Currently UPPS employee ID is Employee’s Social Security Number and SAP HR
uses randomly generated number for employee logon

Purpose of moving away from social security number

 To better protect the employee’s rights to privacy
 SSN number has a lot of employee information available to
the organization which might not be needed
 To improve consistency between the UPPS and SAP HR
systems

12/8/21 13
 Protecting Employee Data

9. THROUGH THE UPPS, KRAFT PROVIDES ITS EMPLOYEES ONLINE ACCESS TO

THEIR OWN EMPLOYEE DATA. WHY WOULD KRAFT DO THIS?
 To View Paychecks – to know their monthly payment details, tax deductions, etc . With this
access, the right data is provided to right people at the convenience of employee’s time. Being it
online and self service, employees can access their personal details anytime they need.
 Confirm Personal Information – employees are allowed to review and update their personal
information whenever there is a change such as addition of a family member, change in address,
etc. This reduces the time and effort of HR in collecting, maintaining and tracking the updated
employee personal information.
 Access Credit Union Accounts – provide add-on services to view their credit union account
transactions if any.
 Make Travel Arrangements – with the travel arrangement incorporated into the same online
system, the personal data can be used for the travel arrangements instead of maintaining
duplicating the details at different location.
 File Expense Reports – whenever an employee settles their expense reports through the single
web system, all other personal and pay information is readily available to the employee for the
reporting. For the Company, it eases the effort required to maintain different systems for payroll,
travel and expense.
The web system can also be used to communicate the employee performance details if they
integrate the performance evaluation tool with the existing service.
12/8/21 14
 Protecting Employee Data

10. WHY WOULD KRAFT WANT TO MOVE ALL OF ITS NORTH AMERICAN HR
TRANSACTIONS FROM UPPS TO SAP HR?
 First and foremost, SAP HR is being used internationally across 65 countries
however UPPS is pre-dominantly used only in North America.
  With the movement to SAP HR, Kraft will by default adhere to all necessary
required EU directive data privacy requirements.
  Managing one single HR system for all its HR operations, helps Kraft to
reduce effort, resources needed to manage 2 systems
  By using one worldwide system, data processing will be simple and easy to
handle. All the other international systems can be linked along with the
north American system giving access to needed employee information
without any delay.
  Consistency in data collection, gathering and distribution processes can be
maintained if SAP HR system is used globally.
  SAP HR system has better data privacy restrictions than UPPS systems.

12/8/21 15
Additional Question

 Describe the risk mitigation plan and

business continuity plan in the event of
Kraft becoming independent
organization?
Background :
In November 2004, the chairman & CEO of Altria Group Inc.,
announced that Altria is looking out to potential break up of
the company., since then there is speculation that Altria may
spin off Kraft Foods Inc., Allowing Kraft to become an
independent company once again.
12/8/21 16
THANK YOU!!!