The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Idea Cellular promotes customer data security and privacy

Case study: How Idea Cellular promotes customer data security and privacy

Idea Cellular is the third largest mobile phone operator in India, with a pan-India network that spans over 400,000 towns and villages, helping connect its nearly 200 million subscribers. Protecting customer information is a key section of Idea Cellular’s privacy framework  Tweet This! and underlines its stand on the protection of the personal information of its employees, customers and relevant stakeholders.

This case study is based on the 2018 Sustainable Business Report by Idea Cellular published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

Idea Cellular has established a company-wide privacy governance model that includes having policies, processes and checklists in place to ensure the continuing confidence of customers and stakeholders who entrust Idea Cellular with their personal information. In order to promote customer data security and privacy Idea Cellular took action to:

  • carry out privacy risk assessments
  • implement the Data Privacy Framework
  • apply the decoy deception tool

What are the material issues the company has identified?

In its 2018 Sustainable Business Report Idea Cellular identified a range of material issues, such as network reliability and availability, customer experience and satisfaction, product stewardship, digital inclusion. Among these, promoting customer data security and privacy stands out as a key material issue for Idea Cellular.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Idea Cellular engages with:

Stakeholder Group                Method of engagement


·      Customer Satisfaction (CSAT) Survey

·      Net Promoter Survey

·      Spot surveys

Employees ·      Group & Team level Employee Satisfaction survey
Franchisees ·      FSAT & Mystery Shopping
Rating Agencies


·      Annual financial statement along-with other details as may be required for Annual Review
Shareholders & Investors




·      Annual General Meeting (AGM)

·      Investor meeting

·      Analyst meeting

·      Major Event update call

·      Earning call

Regulators and Government authorities



·      Various Compliances

·      Regular Meetings

·      Correspondence

·      Report Filings




·      Supplier Assessments

·      RFP

·      Vendor Surveys

·      Vendor performance evaluation feedback

·      Contract

·      Supplier training

·      Supplier rejection




·      Annual financial statement along with Auditor’s Report

·      Quarterly Financial Statements

·      Network Rollout

·      Compliance Certificate



·      Media Events

·      Media Interactions

·      Press Releases

·      Letters to Editors

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Idea Cellular engaged with its stakeholders through a questionnaire (suppliers and vendors) and surveys (customers and employees).

What actions were taken by Idea Cellular to promote customer data security and privacy?

In its 2018 Sustainable Business Report Idea Cellular reports that it took the following actions for promoting customer data security and privacy:

  • Carrying out privacy risk assessments
  • Idea Cellular conducts periodic privacy risk assessments to identify potential areas of risks and mitigation. ISMS (information security management system) practices are implemented to address such risks and compliance verifications are performed, through regular internal and external audits. Additionally, changes to applicable privacy laws, regulations, and policies from across various geographies are monitored and assessed and data privacy specific training programmes are designed and imparted to employees of customer accounts on all applicable privacy regulations.
  • Implementing the Data Privacy Framework
  • Idea Cellular’s Data Privacy Framework consists of three major enterprise components: the people (customers, employees, third party vendors and suppliers), the business processes and the technology (enterprise platforms).
    • The enablers of data protection and privacy under the enterprise component of ‘people’ comprise of privacy policy and procedure, the privacy of organisation and the efforts of training and awareness about it.
    • The enablers under the enterprise component of ‘business processes’ include the Personally Identifiable Information (PII) elements inventory, the PII usage framework, the privacy impact assessment framework and the Process PII containers and privacy controls.
    • The enablers under the enterprise component of ‘technology’ are application privacy controls, Aadhaar data vault privacy controls and end user privacy controls.
  • This Framework ensures a consistent approach to privacy across Idea Cellular and enables the company to have a robust privacy policy, improving privacy adherence levels. It also improves effectiveness in privacy incident management and helps Idea Cellular with improved contractual guidelines with vendors for privacy. 
  • Applying the decoy deception tool
  • Another privacy, cyber security tool deployed by Idea Cellular is the decoy deception tool, which creates virtual honeypots across the network mimicking real world systems. A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, can provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot. This helps to detect any infected systems which are scanning the entire network for further infections and entice even the stealthiest hacker into revealing themselves and drawing them away from real assets. This new generation of distributed decoy technologies that employ deception as a way to misdirect intruders and disrupt their activities at multiple points along the attack chain help delay attackers and force them to spend more time and effort figuring out what is real and whether to proceed with an attack or not.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data


Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

  • Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
  • Business theme: Compliance with laws and regulations, Protection of privacy


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified and IEMA approved Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI-Standards Certified and IEMA approved Course you will be taking the first step in gaining the many benefits of sustainability reporting.



1) This case study is based on published information by Idea Cellular, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Idea Cellular: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.