Accenture's Global Approach To General Data Protection Regulation Implementation

  • Email

    • Because the GDPR applies to processingof personal data of individuals in the EU,regardless of where it is processed or stored,Accenture is addressing the new requirementsacross all geographies as a consistent, globalstandard to address client needs. GeneralOn 25 May 2018, the General Data Protection Regulation(GDPR)1 came into force. This is a Regulation designedto unify data privacy laws.

    ToRead the Full Story, Subscribe to

    Access the exclusive LEGAL ERAStories,Editorial and Expert Opinion

    AlreadyaSubscriber?SigninNow

    rajeev_chopra

    Because the GDPR applies to processing

    of personal data of individuals in the EU,

    regardless of where it is processed or stored,

    Accenture is addressing the new requirements

    across all geographies as a consistent, global

    standard to address client needs.

    General

    On 25 May 2018, the General Data Protection Regulation

    (GDPR) 1 came into force. This is a Regulation designed

    to unify data privacy laws across the European Union

    (EU), and protect and strengthen the data privacy rights

    of individuals in the EU. GDPR strives to reshape the way

    organizations approach data privacy, with a focus on,

    among others, accountability, widening the territorial scope

    of the EU data protection obligations, increasing individual

    rights, and imposing material fines for non-compliance.

    The Regulation protects the data of all individuals located

    in the EU, regardless of their nationality. If a tech company

    (even when outside the EU) hosts, handles or exchanges the data of any EU resident, it is required to be GDPR compliant.

    GDPR requires strengthening of data privacy controls,

    enhancing of technology for management of personal data,

    and the supplying of detailed documentation. In the past,

    only data controllers (those who determine the how and the

    why of data processing) assumed responsibility for data

    protection. Now, for the first time, data processors (those

    processing data on behalf of the data controller – mainly

    suppliers), too, have direct compliance risk and obligation.

    Accenture's Approach

    The GDPR is a step change in regulatory data privacy

    expectations and places significant new requirements on both Accenture's clients and Accenture's operations, not just in the

    EU, but globally. Because the GDPR applies to processing of personal

    data of individuals in the EU, regardless of where it is processed

    or stored, Accenture is addressing the new requirements across all

    geographies as a consistent, global standard to address client needs.

    The following highlights some of Accenture's efforts in responding

    to GDPR requirements:

    Embedding GDPR requirements into Accenture's

    Client Data Protection (CDP) program

    Our Client Data Protection (CDP) program governs the

    stewardship of client information and systems entrusted

    to Accenture as part of client-specific projects and outsourcing

    arrangements as well as when clients are using platforms and

    services that Accenture operates across multiple clients.

    The CDP program defines a set of required management

    processes and controls to protect our clients' data against a

    variety of information security and data privacy risks and

    consists of the following key elements:

    In addition, Accenture implemented new GDPR-related CDP

    controls in the following areas:

    Working across the ecosystem:

    Interactions between clients, Accenture,

    and Accenture third-party providers

    Working across the client-service ecosystem, the GDPR

    requires alignment across two types of contractual

    relationships: the "controller-processor" relationship for

    contracts with our clients and the "processor-subprocessor"

    relationship for contracts with our third-party providers.

    Appointing a Data Protection Officer

    Accenture revised its existing data protection officer

    approach to respond to the GDPR and appointed a global

    Data Protection Officer (DPO) supported by a network of

    Privacy & Security professionals. These roles oversee that

    GDPR requirements are being followed properly within

    our organization and they work with our geographic and

    business groups internally.

    The DPO focuses among others on monitoring the

    implementation of Accenture's compliance programs and

    employee training in data protection. The DPO acts as the

    primary contact for competent data privacy regulators.

    Enhancing employee training,

    communications and security behavior

    Accenture has enhanced focus on training and

    communications to provide employees with relevant GDPR

    awareness and training. Mediums like self-paced learning

    boards, webcasts, short video communications, and

    mandatory GDPR awareness trainings are being deployed

    to enhance the understanding of GDPR. Our training

    and awareness programs have long been successful in

    changing behaviors resulting in greater understanding and

    awareness of a company-wide mindset when it comes to

    data privacy and security. We continue to collaborate with

    our employees, clients, and partners to evolve and improve

    our data privacy and security practices as technologies

    become smarter and more pervasive.

    1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to

    the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

    (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1–88

    Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.