Business risks/Reputational crisis management  |
|
|---|---|
| Risk identification | Risk management |
|
Prejudicial events or information mainly related to the use or misuse of a product, or an inappropriate individual behaviour, whether proven or not, could affect the reputation of L’Oréal, its 37 major international brands and its products and, as a result, affect sales and, more generally, its financial position. The impact of the risk could be amplified, notably, by:
The impact and management of risk associated with social selling, particularly via influencers, are described in the risk factor entitled “Evolution of sales channels”. See the “Safety of people and property” risk factor in the security crisis management information. |
L’Oréal has implemented the following:
The deployment of the Code of Ethics throughout the Group aims at reinforcing the dissemination of the rules of conduct which form the basis of L’Oréal’s integrity and ethics. These rules of conduct seek to guide actions and behaviour, inspire choices and make sure that the Group’s values are reflected in the everyday acts of each employee. L’Oréal has implemented a “Code of Good Practice for the Use of Social Media” for its employees. |
| Business risks/Data |
|
|---|---|
| Risk identification | Risk management |
|
The data collected and processed by L’Oréal or its partners, the volume of which is increasing with the growth in digital activities, particularly personalised services for consumers, could be altered, lost, illegitimately copied or transferred or even fraudulently used. Furthermore, personal data protection regulations are being reinforced throughout the world. In particular, the European General Data Protection Regulation (EU) 2016/679 of 27 April 2016, which entered into force on 25 May 2018, (GDPR) provides for major sanctions in Europe, as does the CCPA in California, the LGPD in Brazil or the PIPL in China and the POPI Act in South Africa. The increasing adoption of various laws aimed at limiting and controlling the transfer of data is also a growing risk factor to which L’Oréal is exposed. Any breach of data integrity or confidentiality, particularly personal data processed by L’Oréal or its partners, for exogenous or endogenous reasons (including intrusions, malicious acts etc.) could impact the privacy or safety of its users, have a significant impact on its reputation and consumer confidence and thus on the Group’s business activities and financial position. |
The Group constantly and progressively deploys policies, learning and data management tools as well as the associated organisational and technical measures. The Global IT Department has introduced strict rules about data security (back-up, protection of, and restrictions on access to confidential data). The Group’s principles governing the processing of personal data have been rolled-out all over the world to raise the awareness of all employees about respect for ethical principles, and legal and regulatory requirements in the matter. An organisation has been set up based on a Global Data Privacy Office at Group level, comprising a legal unit and a programme unit. A Group Data Protection Officer was appointed in 2018 and a network of 47 Country DPOs has been created, for all countries in the European Zone and gradually in other regions of the world. The governance is based on a Global Strategic Committee, a Steering Committee by region, as well as a network of Heads of Data Privacy within the Métiers (Transversal Functions) and Zones, responsible for the protection of personal data. They provide support to all operational stakeholders involved. This governance notably aims to monitor the Group’s compliance with different laws, by ensuring the mobilisation of all stakeholders and by adapting customer, supplier and business line processes to the Group’s rules and to applicable laws. L’Oréal’s commitments in terms of personal data and the risk management systems are detailed in paragraph 4.3.3.2. |