Because the GDPR applies to processingof personal data of individuals in the EU,regardless of where it is processed or stored,Accenture is addressing the new requirementsacross all geographies as a consistent, globalstandard to address client needs...GeneralOn 25 May 2018, the General Data Protection Regulation(GDPR)1 came into force. This is a Regulation designedto unify data privacy laws...
Access the exclusive LEGAL ERAStories,Editorial and Expert Opinion
Because the GDPR applies to processing
of personal data of individuals in the EU,
regardless of where it is processed or stored,
Accenture is addressing the new requirements
across all geographies as a consistent, global
standard to address client needs...
On 25 May 2018, the General Data Protection Regulation
(GDPR)1 came into force. This is a Regulation designed
to unify data privacy laws across the European Union
(EU), and protect and strengthen the data privacy rights
of individuals in the EU. GDPR strives to reshape the way
organizations approach data privacy, with a focus on,
among others, accountability, widening the territorial scope
of the EU data protection obligations, increasing individual
rights, and imposing material fines for non-compliance.The Regulation protects the data of all individuals located
in the EU, regardless of their nationality. If a tech company
(even when outside the EU) hosts, handles or exchanges the data of any EU resident, it is required to be GDPR compliant.
GDPR requires strengthening of data privacy controls,
enhancing of technology for management of personal data,
and the supplying of detailed documentation. In the past,
only data controllers (those who determine the how and the
why of data processing) assumed responsibility for data
protection. Now, for the first time, data processors (those
processing data on behalf of the data controller – mainly
suppliers), too, have direct compliance risk and obligation.
The GDPR is a step change in regulatory data privacy
expectations and places significant new requirements on both Accenture's clients and Accenture's operations, not just in the
EU, but globally. Because the GDPR applies to processing of personal
data of individuals in the EU, regardless of where it is processed
or stored, Accenture is addressing the new requirements across all
geographies as a consistent, global standard to address client needs.The following highlights some of Accenture's efforts in responding
to GDPR requirements:
Client Data Protection (CDP) program
Our Client Data Protection (CDP) program governs the
stewardship of client information and systems entrusted
to Accenture as part of client-specific projects and outsourcing
arrangements as well as when clients are using platforms and
services that Accenture operates across multiple clients.The CDP program defines a set of required management
processes and controls to protect our clients' data against a
variety of information security and data privacy risks and
consists of the following key elements:
protection and mandatory program adoption for all
accessing, handling, transmitting, and hosting client
tied to risks inherent in specific types of work, such as
business process operations, application development,
and infrastructure services, including cloud-based
training provided on a regular basis.
drive and USB encryption, workstation configuration
scanning, web filtering, data loss prevention,
vulnerability scanning, and penetration testing.
matter expertise - Tools, processes, and subject matter
specialist support for project teams.Our CDP program spans the protection of personal data,
as well as the physical, application, and infrastructure
environments where the data resides and has the
flexibility to incorporate client-specific information
security requirements. This approach has enabled our
CDP program to fully map to ISO 27001 standards, and
the British Standards Institution (BSI) has certified that
Accenture's global Client Data Protection program meets
the ISO 27001:2013 information security standard,
the international standard for information security
In addition, Accenture implemented new GDPR-related CDP
controls in the following areas:
of personal data to only those purposes for which
Accenture was specifically contracted.
have been provided and following client instructions
when providing such notices on their behalf.
into solution or application design based on our
clients' instructions to enable individuals the ability to
access, view, correct, and/or delete collected personal
with clients as appropriate when data originating from
EU/EEA (European Economic Area) is being transferred
to another country.
Interactions between clients, Accenture,
and Accenture third-party providers
Working across the client-service ecosystem, the GDPR
requires alignment across two types of contractual
relationships: the "controller-processor" relationship for
contracts with our clients and the "processor-subprocessor"
relationship for contracts with our third-party providers.
addresses provisions that the GDPR requires to be in
controller-processor contracts. Although the GDPR does
not prescribe the "technical and organizational security
measures" that need to be implemented by the parties,
Accenture's approach to contracting assumes that it will
work together with its clients to clearly align on and
document each party's obligations around the protection
and privacy of client personal data and to reasonably
balance the risk allocation/liability provisions.
supplier management processes to include specific
GDPR requirements in supplier due diligence and
supplier assessment processes.
Accenture revised its existing data protection officer
approach to respond to the GDPR and appointed a global
Data Protection Officer (DPO) supported by a network of
Privacy & Security professionals. These roles oversee that
GDPR requirements are being followed properly within
our organization and they work with our geographic and
business groups internally.
The DPO focuses among others on monitoring the
implementation of Accenture's compliance programs and
employee training in data protection. The DPO acts as the
primary contact for competent data privacy regulators.
communications and security behavior
Accenture has enhanced focus on training and
communications to provide employees with relevant GDPR
awareness and training. Mediums like self-paced learning
boards, webcasts, short video communications, and
mandatory GDPR awareness trainings are being deployed
to enhance the understanding of GDPR. Our training
and awareness programs have long been successful in
changing behaviors resulting in greater understanding and
awareness of a company-wide mindset when it comes to
data privacy and security. We continue to collaborate with
our employees, clients, and partners to evolve and improve
our data privacy and security practices as technologies
become smarter and more pervasive.
the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance), OJ L 119, 4.5.2016, p. 1–88
Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.