A robust process to manage improvements
Ensuring continuous DP compliance
Over the last decade, in the hyper-connected digital world, data privacy has steadily emerged as an extremely important dimension of human rights. Significant changes in the privacy threat landscape is expected with the increasing adoption of emerging technologies such as AI, IoT, Big data, that bring rich dividends for consumers and society at large.
At Infosys, we constituted the data privacy function over a decade ago and it functions as an independent business enabling function directly reporting to the Board to ensure the independence of the function.
Anticipating the need for making privacy an integral part of application development, ‘privacy by design’ has been taken up as strategic initiative. The emphasis has been on embedding privacy as a culture while designing solutions. Our engineers are being equipped with both knowledge and reusable components repository with the intent of reducing dependency on testing as a means to ensure privacy. Keeping in view the large-scale personal data processing involved, we make use of tools and technologies to institutionalize data privacy practices and controls across the enterprise. Data Privacy Impact Assessments are conducted for every new process or whenever there is a change in the existing process which involves processing of PII/SPI. Over the years, the growing awareness and education on data privacy among stakeholders has contributed to a more robust process
Data Privacy Governance Framework
At Infosys, Data Privacy Office plays the role of Architect and Checker, while Business Enabling Functions and Units are the makers, with independent audits being carried out periodically by Infosys Quality team and External Bodies to validate the effectiveness of data privacy controls deployed. Regular Senior Management reviews ensure the oversight required.
- Privacy Sub-council (constitutes of Nominated individuals from Business Enabling Functions and Delivery)
- Data Privacy Council (constitutes of Business Enabling Functions and Unit heads)
- Legal Compliance and Risk Council (General counsel, CFO, COO and CRO are key members)
- Risk Committee (RC)
Adopting internationally accepted protocols
We make every effort to protect the personal information that comes under our purview. Our data privacy compliance framework is the convergence of international best practices, client-prescribed requirements and applicable data privacy regulations across geographies.
Infosys is among the first few organizations globally, to have its framework certified with accreditation, for the recently released ISO 27701 privacy information management standard.
In fiscal 2021, there were forty three incidents involving customer data and none of them had any substantial material impact. There were no substantiated complaints received concerning breaches of customer privacy from outside parties and regulatory authorities.
Driving thought leadership in data privacy
We see the need for engagement with industry and government bodies in shaping the future of privacy, both as a social responsibility and a necessity to stay connected in an ever changing technology and privacy landscape. We continue to participate in various initiatives with industry forums and standard development institutions globally, helping them develop data privacy frameworks, regulations and standards.
Infosys was a key contributor in the development of India’s Data Privacy standard IS 17428, published in December 2020 by BIS (Bureau of Indian Standards) – India’s national standards body. Infosys CPO was appointed by BIS as Convener of the Committee constituted 4 years ago, to develop this standard along with a group of experts from across the Industry, Academia, Civil Society and Government, including MeitY. Two of the ISO standards on data privacy, ISO 27701 (world’s 1st international data privacy standard) and ISO 29184 both of which have been already published, had our CPO as co-editor, who is a working group expert participating in the ISO SC 27 committee.
Our CPO is also a member of the Privacy Engineering Advisory Board of the International Association of Privacy Professionals (IAPP) where he plays active role in shaping the privacy engineering agenda.