Accenture's Global Approach To General Data Protection Regulation Implementation

Because the GDPR applies to processing

of personal data of individuals in the EU,

regardless of where it is processed or stored,

Accenture is addressing the new requirements

across all geographies as a consistent, global

standard to address client needs...

General

On 25 May 2018, the General Data Protection Regulation

(GDPR)¹ came into force. This is a Regulation designed

to unify data privacy laws across the European Union

(EU), and protect and strengthen the data privacy rights

of individuals in the EU. GDPR strives to reshape the way

organizations approach data privacy, with a focus on,

among others, accountability, widening the territorial scope

of the EU data protection obligations, increasing individual

rights, and imposing material fines for non-compliance.

The Regulation protects the data of all individuals located

in the EU, regardless of their nationality. If a tech company

(even when outside the EU) hosts, handles or exchanges the data of any EU resident, it is required to be GDPR compliant.

GDPR requires strengthening of data privacy controls,

enhancing of technology for management of personal data,

and the supplying of detailed documentation. In the past,

only data controllers (those who determine the how and the

why of data processing) assumed responsibility for data

protection. Now, for the first time, data processors (those

processing data on behalf of the data controller – mainly

suppliers), too, have direct compliance risk and obligation.

Accenture's Approach

The GDPR is a step change in regulatory data privacy

expectations and places significant new requirements on both Accenture's clients and Accenture's operations, not just in the

EU, but globally. Because the GDPR applies to processing of personal

data of individuals in the EU, regardless of where it is processed

or stored, Accenture is addressing the new requirements across all

geographies as a consistent, global standard to address client needs.

The following highlights some of Accenture's efforts in responding

to GDPR requirements:

Embedding GDPR requirements into Accenture's

Client Data Protection (CDP) program

Our Client Data Protection (CDP) program governs the

stewardship of client information and systems entrusted

to Accenture as part of client-specific projects and outsourcing

arrangements as well as when clients are using platforms and

services that Accenture operates across multiple clients.

The CDP program defines a set of required management

processes and controls to protect our clients' data against a

variety of information security and data privacy risks and

consists of the following key elements:

• Accountability - Senior-level responsibility for data

  protection and mandatory program adoption for all

  engagements.

• Foundational controls - Required controls for storing,

  accessing, handling, transmitting, and hosting client

  data.

• Service-specific controls - Service-specific controls

  tied to risks inherent in specific types of work, such as

  business process operations, application development,

  and infrastructure services, including cloud-based

  infrastructure.

• Training and awareness - Mandatory data protection

  training provided on a regular basis.

• Technology - Technology support including hard

  drive and USB encryption, workstation configuration

  scanning, web filtering, data loss prevention,

  vulnerability scanning, and penetration testing.

• Information security and data privacy subject

  matter expertise - Tools, processes, and subject matter

  specialist support for project teams.
  
  Our CDP program spans the protection of personal data,

  as well as the physical, application, and infrastructure

  environments where the data resides and has the

  flexibility to incorporate client-specific information

  security requirements. This approach has enabled our

  CDP program to fully map to ISO 27001 standards, and

  the British Standards Institution (BSI) has certified that

  Accenture's global Client Data Protection program meets

  the ISO 27001:2013 information security standard,

  the international standard for information security

  management.

In addition, Accenture implemented new GDPR-related CDP

controls in the following areas:

• Purpose limitation - Limiting the collection and use

  of personal data to only those purposes for which

  Accenture was specifically contracted.

• Notice - Confirming that appropriate privacy notices

  have been provided and following client instructions

  when providing such notices on their behalf.

• Individual rights - Implementing processes

  into solution or application design based on our

  clients' instructions to enable individuals the ability to

  access, view, correct, and/or delete collected personal

  data.

• Data transfers - Establishing data transfer agreements

  with clients as appropriate when data originating from

  EU/EEA (European Economic Area) is being transferred

  to another country.

Working across the ecosystem:

Interactions between clients, Accenture,

and Accenture third-party providers

Working across the client-service ecosystem, the GDPR

requires alignment across two types of contractual

relationships: the "controller-processor" relationship for

contracts with our clients and the "processor-subprocessor"

relationship for contracts with our third-party providers.

• Contracts with clients. Accenture, in its contracts

  addresses provisions that the GDPR requires to be in

  controller-processor contracts. Although the GDPR does

  not prescribe the "technical and organizational security

  measures" that need to be implemented by the parties,

  Accenture's approach to contracting assumes that it will

  work together with its clients to clearly align on and

  document each party's obligations around the protection

  and privacy of client personal data and to reasonably

  balance the risk allocation/liability provisions.

• Third-party providers. Accenture has enhanced the

  supplier management processes to include specific

  GDPR requirements in supplier due diligence and

  supplier assessment processes.

Appointing a Data Protection Officer

Accenture revised its existing data protection officer

approach to respond to the GDPR and appointed a global

Data Protection Officer (DPO) supported by a network of

Privacy & Security professionals. These roles oversee that

GDPR requirements are being followed properly within

our organization and they work with our geographic and

business groups internally.

The DPO focuses among others on monitoring the

implementation of Accenture's compliance programs and

employee training in data protection. The DPO acts as the

primary contact for competent data privacy regulators.

Enhancing employee training,

communications and security behavior

change program

Accenture has enhanced focus on training and

communications to provide employees with relevant GDPR

awareness and training. Mediums like self-paced learning

boards, webcasts, short video communications, and

mandatory GDPR awareness trainings are being deployed

to enhance the understanding of GDPR. Our training

and awareness programs have long been successful in

changing behaviors resulting in greater understanding and

awareness of a company-wide mindset when it comes to

data privacy and security. We continue to collaborate with

our employees, clients, and partners to evolve and improve

our data privacy and security practices as technologies

become smarter and more pervasive.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.