October 17, 2018

Rate This Article
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Accenture’s Global Approach To General Data Protection Regulation Implementation

- Rajeev Chopra, Managing Director [ Accenture ]


Because the GDPR applies to processing of personal data of individuals in the EU, regardless of where it is processed or stored, Accenture is addressing the new requirements across all geographies as a consistent, global standard to address client needs...


On 25 May 2018, the General Data Protection Regulation (GDPR)1 came into force. This is a Regulation designed to unify data privacy laws across the European Union (EU), and protect and strengthen the data privacy rights of individuals in the EU. GDPR strives to reshape the way organizations approach data privacy, with a focus on, among others, accountability, widening the territorial scope of the EU data protection obligations, increasing individual rights, and imposing material fines for non-compliance.

The Regulation protects the data of all individuals located in the EU, regardless of their nationality. If a tech company (even when outside the EU) hosts, handles or exchanges the data of any EU resident, it is required to be GDPR compliant. GDPR requires strengthening of data privacy controls, enhancing of technology for management of personal data, and the supplying of detailed documentation. In the past, only data controllers (those who determine the how and the why of data processing) assumed responsibility for data protection. Now, for the first time, data processors (those processing data on behalf of the data controller – mainly suppliers), too, have direct compliance risk and obligation.

Accenture’s Approach

The GDPR is a step change in regulatory data privacy expectations and places significant new requirements on both Accenture’s clients and Accenture’s operations, not just in the EU, but globally. Because the GDPR applies to processing of personal data of individuals in the EU, regardless of where it is processed or stored, Accenture is addressing the new requirements across all geographies as a consistent, global standard to address client needs.

The following highlights some of Accenture’s efforts in responding to GDPR requirements:

Embedding GDPR requirements into Accenture’s Client Data Protection (CDP) program

Our Client Data Protection (CDP) program governs the stewardship of client information and systems entrusted to Accenture as part of client-specific projects and outsourcing arrangements as well as when clients are using platforms and services that Accenture operates across multiple clients.

The CDP program defines a set of required management processes and controls to protect our clients’ data against a variety of information security and data privacy risks and consists of the following key elements:

  • Accountability - Senior-level responsibility for data protection and mandatory program adoption for all engagements.
  • Foundational controls - Required controls for storing, accessing, handling, transmitting, and hosting client data.
  • Service-specific controls - Service-specific controls tied to risks inherent in specific types of work, such as business process operations, application development, and infrastructure services, including cloud-based infrastructure.
  • Training and awareness - Mandatory data protection training provided on a regular basis.
  • Technology - Technology support including hard drive and USB encryption, workstation configuration scanning, web filtering, data loss prevention, vulnerability scanning, and penetration testing.
  • Information security and data privacy subject matter expertise - Tools, processes, and subject matter specialist support for project teams.

    Our CDP program spans the protection of personal data, as well as the physical, application, and infrastructure environments where the data resides and has the flexibility to incorporate client-specific information security requirements. This approach has enabled our CDP program to fully map to ISO 27001 standards, and the British Standards Institution (BSI) has certified that Accenture’s global Client Data Protection program meets the ISO 27001:2013 information security standard, the international standard for information security management.

In addition, Accenture implemented new GDPR-related CDP controls in the following areas:

  • Purpose limitation - Limiting the collection and use of personal data to only those purposes for which Accenture was specifically contracted.
  • Notice - Confirming that appropriate privacy notices have been provided and following client instructions when providing such notices on their behalf.
  • Individual rights - Implementing processes into solution or application design based on our clients’ instructions to enable individuals the ability to access, view, correct, and/or delete collected personal data.
  • Data transfers - Establishing data transfer agreements with clients as appropriate when data originating from EU/EEA (European Economic Area) is being transferred to another country.

Working across the ecosystem: Interactions between clients, Accenture, and Accenture third-party providers

Working across the client-service ecosystem, the GDPR requires alignment across two types of contractual relationships: the “controller-processor” relationship for contracts with our clients and the “processor-subprocessor” relationship for contracts with our third-party providers.

  • Contracts with clients. Accenture, in its contracts addresses provisions that the GDPR requires to be in controller-processor contracts. Although the GDPR does not prescribe the “technical and organizational security measures” that need to be implemented by the parties, Accenture’s approach to contracting assumes that it will work together with its clients to clearly align on and document each party’s obligations around the protection and privacy of client personal data and to reasonably balance the risk allocation/liability provisions.
  • Third-party providers. Accenture has enhanced the supplier management processes to include specific GDPR requirements in supplier due diligence and supplier assessment processes.

Appointing a Data Protection Officer

Accenture revised its existing data protection officer approach to respond to the GDPR and appointed a global Data Protection Officer (DPO) supported by a network of Privacy & Security professionals. These roles oversee that GDPR requirements are being followed properly within our organization and they work with our geographic and business groups internally.

The DPO focuses among others on monitoring the implementation of Accenture’s compliance programs and employee training in data protection. The DPO acts as the primary contact for competent data privacy regulators.

Enhancing employee training, communications and security behavior change program

Accenture has enhanced focus on training and communications to provide employees with relevant GDPR awareness and training. Mediums like self-paced learning boards, webcasts, short video communications, and mandatory GDPR awareness trainings are being deployed to enhance the understanding of GDPR. Our training and awareness programs have long been successful in changing behaviors resulting in greater understanding and awareness of a company-wide mindset when it comes to data privacy and security. We continue to collaborate with our employees, clients, and partners to evolve and improve our data privacy and security practices as technologies become smarter and more pervasive.

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1–88

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.

Related Post

follow us

Publication & Enquiries

phone icon  +91 8879635570/8879635571

mail icon