Accenture's Global Approach To General Data Protection Regulation Implementation

Update: 2018-10-17 06:53 GMT
story

Because the GDPR applies to processingof personal data of individuals in the EU,regardless of where it is processed or stored,Accenture is addressing the new requirementsacross all geographies as a consistent, globalstandard to address client needs...GeneralOn 25 May 2018, the General Data Protection Regulation(GDPR)1 came into force. This is a Regulation designedto unify data privacy laws...

Because the GDPR applies to processing

of personal data of individuals in the EU,

regardless of where it is processed or stored,

Accenture is addressing the new requirements

across all geographies as a consistent, global

standard to address client needs...

General

On 25 May 2018, the General Data Protection Regulation

(GDPR)1 came into force. This is a Regulation designed

to unify data privacy laws across the European Union

(EU), and protect and strengthen the data privacy rights

of individuals in the EU. GDPR strives to reshape the way

organizations approach data privacy, with a focus on,

among others, accountability, widening the territorial scope

of the EU data protection obligations, increasing individual

rights, and imposing material fines for non-compliance.

The Regulation protects the data of all individuals located

in the EU, regardless of their nationality. If a tech company

(even when outside the EU) hosts, handles or exchanges the data of any EU resident, it is required to be GDPR compliant.

GDPR requires strengthening of data privacy controls,

enhancing of technology for management of personal data,

and the supplying of detailed documentation. In the past,

only data controllers (those who determine the how and the

why of data processing) assumed responsibility for data

protection. Now, for the first time, data processors (those

processing data on behalf of the data controller – mainly

suppliers), too, have direct compliance risk and obligation.

Accenture's Approach

The GDPR is a step change in regulatory data privacy

expectations and places significant new requirements on both Accenture's clients and Accenture's operations, not just in the

EU, but globally. Because the GDPR applies to processing of personal

data of individuals in the EU, regardless of where it is processed

or stored, Accenture is addressing the new requirements across all

geographies as a consistent, global standard to address client needs.

The following highlights some of Accenture's efforts in responding

to GDPR requirements:

Embedding GDPR requirements into Accenture's

Client Data Protection (CDP) program

Our Client Data Protection (CDP) program governs the

stewardship of client information and systems entrusted

to Accenture as part of client-specific projects and outsourcing

arrangements as well as when clients are using platforms and

services that Accenture operates across multiple clients.

The CDP program defines a set of required management

processes and controls to protect our clients' data against a

variety of information security and data privacy risks and

consists of the following key elements:

  • Accountability - Senior-level responsibility for data

    protection and mandatory program adoption for all

    engagements.

  • Foundational controls - Required controls for storing,

    accessing, handling, transmitting, and hosting client

    data.

  • Service-specific controls - Service-specific controls

    tied to risks inherent in specific types of work, such as

    business process operations, application development,

    and infrastructure services, including cloud-based

    infrastructure.

  • Training and awareness - Mandatory data protection

    training provided on a regular basis.

  • Technology - Technology support including hard

    drive and USB encryption, workstation configuration

    scanning, web filtering, data loss prevention,

    vulnerability scanning, and penetration testing.

  • Information security and data privacy subject

    matter expertise - Tools, processes, and subject matter

    specialist support for project teams.

    Our CDP program spans the protection of personal data,

    as well as the physical, application, and infrastructure

    environments where the data resides and has the

    flexibility to incorporate client-specific information

    security requirements. This approach has enabled our

    CDP program to fully map to ISO 27001 standards, and

    the British Standards Institution (BSI) has certified that

    Accenture's global Client Data Protection program meets

    the ISO 27001:2013 information security standard,

    the international standard for information security

    management.

In addition, Accenture implemented new GDPR-related CDP

controls in the following areas:

  • Purpose limitation - Limiting the collection and use

    of personal data to only those purposes for which

    Accenture was specifically contracted.

  • Notice - Confirming that appropriate privacy notices

    have been provided and following client instructions

    when providing such notices on their behalf.

  • Individual rights - Implementing processes

    into solution or application design based on our

    clients' instructions to enable individuals the ability to

    access, view, correct, and/or delete collected personal

    data.

  • Data transfers - Establishing data transfer agreements

    with clients as appropriate when data originating from

    EU/EEA (European Economic Area) is being transferred

    to another country.

Working across the ecosystem:

Interactions between clients, Accenture,

and Accenture third-party providers

Working across the client-service ecosystem, the GDPR

requires alignment across two types of contractual

relationships: the "controller-processor" relationship for

contracts with our clients and the "processor-subprocessor"

relationship for contracts with our third-party providers.

  • Contracts with clients. Accenture, in its contracts

    addresses provisions that the GDPR requires to be in

    controller-processor contracts. Although the GDPR does

    not prescribe the "technical and organizational security

    measures" that need to be implemented by the parties,

    Accenture's approach to contracting assumes that it will

    work together with its clients to clearly align on and

    document each party's obligations around the protection

    and privacy of client personal data and to reasonably

    balance the risk allocation/liability provisions.

  • Third-party providers. Accenture has enhanced the

    supplier management processes to include specific

    GDPR requirements in supplier due diligence and

    supplier assessment processes.

Appointing a Data Protection Officer

Accenture revised its existing data protection officer

approach to respond to the GDPR and appointed a global

Data Protection Officer (DPO) supported by a network of

Privacy & Security professionals. These roles oversee that

GDPR requirements are being followed properly within

our organization and they work with our geographic and

business groups internally.

The DPO focuses among others on monitoring the

implementation of Accenture's compliance programs and

employee training in data protection. The DPO acts as the

primary contact for competent data privacy regulators.

Enhancing employee training,

communications and security behavior

change program

Accenture has enhanced focus on training and

communications to provide employees with relevant GDPR

awareness and training. Mediums like self-paced learning

boards, webcasts, short video communications, and

mandatory GDPR awareness trainings are being deployed

to enhance the understanding of GDPR. Our training

and awareness programs have long been successful in

changing behaviors resulting in greater understanding and

awareness of a company-wide mindset when it comes to

data privacy and security. We continue to collaborate with

our employees, clients, and partners to evolve and improve

our data privacy and security practices as technologies

become smarter and more pervasive.

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to

the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(Text with EEA relevance), OJ L 119, 4.5.2016, p. 1–88

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.


By - Rajeev Chopra

Rajeev, currently in the 30th year of his career, has been previously associated with several law firms and national and multinational corporates which has shaped his illustrious career. He started his career with private practice in the Delhi High Court, before moving to law firms in corporate commercial practice. He has been the General Counsel and led legal teams in LG, Airtel and Dell, before joining Accenture in 2007. Rajeev believes that fostering a culture of inclusion, fairness, equality and ethical conduct is critical to building strong teams and fostering innovation. Rajeev has led several transformational and change management projects at Accenture.

Similar News