Digital Citizenship: Ethical Use of Data & Responsible Use of … – Walmart Corporate

Privacy by Design

Walmart aims to build trust with our customers and stakeholders by considering their privacy throughout the design process. Walmart’s Global Privacy by Design Policy is constructed to ensure privacy controls are incorporated in the design, development, procurement, or modification of technology, business processes, or projects that involve the processing of personal information. The policy is based on adherence to the principles of Privacy by Design, including:

• Proactive and preventative: Privacy controls and practices should be considered from the outset rather than after development.
• Privacy by default: We seek to respect privacy and protection by default, through methods including transparency in the collection of personal information, only processing the personal information necessary to achieve our business purpose, and using and retaining data in line with law and policy.
• Design assessment: Our teams conduct privacy risk assessments and privacy impact assessments as part of the design or redesign of technology, processes, and projects to determine risks, legal requirements, and mitigation measures.
• Balancing interests: We strive to accommodate both the privacy of individuals and Walmart’s legitimate business objectives so we can better serve our customers now and in the future.
• Security: End-to-end security considerations that support privacy protections will be assessed and addressed prior to implementation.

Communicating Privacy Information

Through Walmart’s privacy notices, we aim to build trust through transparency. Our privacy notices disclose to customers, associates and other stakeholders clear, prominent and easily accessible information on what personal information we collect, how and why we collect it, how we use and protect it, how long we keep it, when and with whom we share it, and what privacy rights our stakeholders may have. We regularly review our notices and update them where appropriate to cover new regulations, technologies, and services.

Examples of our privacy notices in the United States include:

• Walmart Privacy Notice. This notice tells customers about the information we collect in stores and online in order to provide them with products and services and to run our business. In addition to telling customers how we collect, use, share, and protect their personal information, we also outline what choices customers have about how their personal information is used for advertising and marketing purposes.
• Walmart Associate Information Privacy Notice. This notice informs current and former associates about the personal information we collect and use for purposes of the employment relationship and to fulfill our obligations as an employer.
• Walmart Supplier Privacy Notice. This notice informs our suppliers about the information we collect, use, and share as part of managing our business relationship with them.

We have a number of other U.S.-focused privacy notices relevant to our specialized operations such as Health & Wellness and Financial Services; please see our Privacy and Security page and the Additional Resources section below for a more comprehensive list. Walmart’s international markets also have privacy notices that are specific to those markets’ businesses.

Stakeholders can contact Walmart with privacy inquiries or concerns by visiting our Store and Corporate Feedback page and selecting “Company Feedback and Questions” from the menu or writing to the Walmart Privacy Office.

Privacy Practices

Walmart teams track emerging privacy laws in the United States and other countries where we operate and implement programs across the global enterprise to comply with those laws, anticipate future developments, and meet stakeholder expectations. For example, in FY2023 Walmart’s Digital Citizenship and Regulatory Change Management teams launched a set of January 2023 updates to our privacy notices related to the implementation of the California Privacy Rights Act and the Virginia Consumer Data Protection Act, and are preparing for the implementation of new or revised privacy laws and regulations in Colorado, Connecticut, and Utah.

In addition, our Digital Values team includes professionals who manage governance for our websites and mobile apps. This team helps guide decisions and implement policies regarding the sharing of data with third parties, online tracking technologies, and the use of data in advertising and marketing efforts. The team helps business partners understand the rapidly changing technology landscape and implications for Walmart initiatives.

Engaging with Stakeholders on Privacy

Walmart works with policymakers to enhance consumer privacy in the omni-channel world. We strongly support bipartisan efforts toward a national privacy law that protects the rights of all consumers in the U.S. In the absence of a preemptive federal law, Walmart supports state laws that give consumers greater control over their data and that provide companies with clear expectations and reasonable compliance standards.

Read more: Engagement in Public Policy

Data, Records, & Information Management

Our data governance policies, standards and processes are designed to ensure data and information are secure and accurate, that Walmart’s management of the data complies with U.S. and other market-specific regulatory requirements, and that we earn and maintain the trust of our customers, associates, and business partners.

Policies and Standards

Walmart’s data governance policies include:

• Global Records Management: Defines how we manage, retain, and dispose of records created or used throughout our business.
• Global Data Governance Policies: A set of policies that address roles and responsibilities, data classification, data sharing, and data products designed to ensure Walmart understands the data it has and how that data is handled, shared, and classified.
• Artificial Intelligence, Machine Learning, and Automated Decisioning Policy: Provides guidance for the company in the design, implementation, and review of automated decisioning solutions, models, and technology.

In addition, Digital Citizenship maintains and implements Walmart’s global data incident response policies for reporting and addressing any actual or suspected data incidents in a timely and lawful manner. The policies are supported by data breach notification and regulatory reporting guidelines and standards.

Information Management Practices

Information management practices include:

Controls and monitoring: Ongoing monitoring of data and privacy controls to confirm their effectiveness and to help identify opportunities to keep our systems and processes evergreen; establishing data owners and stewards within business units to drive accountability in the use and access of data; and creation of a Know Your Data process to increase visibility into data being shared internally and externally. Walmart utilizes the Enterprise Privacy Risk Assessment process to identify and manage privacy implications related to the use of personal information in new and existing applications. This review helps ensure the management of personal information is responsible and compliant with our standards and policies.

Risk assessment: We conduct a periodic risk assessment for the purposes of risk-spotting, risk-based monitoring, and to ensure the highest-ranked risks are addressed with appropriate controls.

Training: We also have required trainings for our associates to understand the policies relevant to their functions and business units, and we engage business leaders to implement the policies through functional business processes, practices, and tools. Associates failing to comply with these policies are subject to potential disciplinary action, up to and including termination.

Cybersecurity

Governance

Walmart’s Chief Information Security Officer (CISO) is responsible for cybersecurity and information security within the company. The Audit Committee of Walmart’s Board of Directors oversees cybersecurity and information security for the company and meets with the CISO at least annually to discuss the status of cybersecurity efforts. Audit Committee materials are provided to the full Walmart Inc. Board of Directors.

Walmart’s Enterprise Risk Management process incorporates cybersecurity risk, with the CISO responsible for management. The CISO makes regular reports to Walmart’s executive leadership team and Disclosure Committee on the status of our cybersecurity programs.

Walmart’s Information Security department (InfoSec) supports the CISO and seeks to ensure the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. InfoSec’s goal is to keep Walmart secure by taking a proactive approach; it helps associates understand and follow Walmart directives, ensures the company is complying with regulatory and industry requirements and following best practices, and reports and responds to suspicious activity.

Walmart’s information security program is based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST-CSF). The program includes policies and standards to keep information secure. The Information Security Program Management policy is the foundation of Walmart’s information security program. The policy applies everywhere Walmart data is stored or processed- within Walmart and outside it- and speaks to the security requirements for assessments, account, and device security; personnel security; and awareness and training. Additional policies cover the key elements of the NIST-CSF framework. These policies include escalation processes that associates can follow should they notice something suspicious; associates are required to report known or suspected violations of the policies. Policy violations may result in disciplinary action up to and including termination or legal action.

Vendors that have access to Walmart information are required to manage such information in accordance with laws and appropriate privacy and security standards. Standards are applied on a per-contract basis and include requirements to have an information security program and report to Walmart any incidents in which Walmart’s confidential information or systems are compromised.

Processes & Procedures

In addition to effective policy and oversight, we promote a secure environment through risk management, training and communication, and incident management.

Risk management: We annually assess our cybersecurity programs against third-party requirements including NIST-CSF, PCI, HIPAA and the Sarbanes-Oxley Act (SOX). Our most recent external assessment occurred in FY2023 when external auditors reviewed our information technology infrastructure and our information security management systems. Walmart tests multiple aspects of cybersecurity regularly, including semi-annual testing of our technical recovery and incident response procedures. Our vulnerability testing program includes (1) testing in our software development life cycle, (2) penetration testing, (3) our dedicated red team, and (4) vulnerability scanning. Walmart uses several methodologies, including tabletop exercises and incident response testing and vulnerability analyses that simulate attacks. Some of our systems and third-party service providers’ systems have experienced security incidents or breaches1 and these cybersecurity attempts and incidents have informed Walmart’s approach to its cyber governance, policies and procedures, or technologies.