Governance

Data privacy

In 2025, the average total organizational cost of data breach in India reached an all-time high of Rs 22 crore, 13% higher than the previous year, according to IBM’s Cost of a Data Breach Report.

Collaborations with industry bodies, regulators and standard setting firms

With AI adoption accelerating at a lightning pace, data breaches are increasingly becoming frequent and complex. At Infosys, over the years, we have built a Data Privacy (DP) function that not only guards against incidents but also strives to make data privacy a key differentiator for Infosys and maximize value for stakeholders.

We want to be the trusted partner for businesses in their digital transformation journeys, ensuring DP compliance throughout the journey.

The evolving digital landscape

At Infosys, we recognize that the rapidly evolving digital landscape has reshaped the very meaning of privacy. With the proliferation of technologies such as artificial intelligence (AI), the Internet of Things, and big data, we are seeing transformative benefits across society

However, these same technologies introduce greater risks related to DP and security.

Our business model involves the seamless global flow of data, which must comply with regulations that often have extraterritorial reach. That’s why we emphasize the importance of consistent and effective data protection practices in every country we operate in.

Independent Data Privacy Office (DPO)

At Infosys, the independent DPO plays the role of architect and checker, while business enabling functions and units are the makers, with independent audits being carried out periodically by our Quality team and external bodies. Quarterly senior management reviews ensure adequate oversight.

Data Privacy Office organizational structure diagram

As AI continues to evolve, we are mindful that many existing privacy regulations already apply to AI systems that process personal data, and we closely align our practices with key principles such as transparency, fairness, non-discrimination, explainability, and human oversight.

To effectively manage these evolving risks and regulatory expectations, we have built a strong internal governance structure that supports our privacy objectives across the organization.

Thought leadership in DP

The Infosys Data Privacy Office (DPO) actively collaborates with global industry bodies, regulatory groups, and standard-setting organizations.

Through these partnerships, we help shape the development of data protection frameworks, policies, and international standards, especially in emerging areas such as artificial intelligence.

These contributions underscore our role not only but also as a compliant entity, but as a driver of best practices in data privacy across industries and borders.

DP compliance

More than a decade ago, we established our Data Privacy function as an independent group reporting directly to top management.

This function is built on the globally recognized Privacy Information Management System (PIMS) framework and is responsible for ensuring compliance with data protection regulations across business processes, applications, and client engagements.

DP policy

Our Data Privacy Policy — accessible to all employees via the intranet — reflects the top management's commitment to privacy. This commitment extends beyond internal operations to include third-party service providers.

As part of our third-party service provider DP risk management process, every vendor being onboarded undergoes strict due diligence and must accept the Infosys Supplier Code of Conduct, which includes our data processing agreement. Additionally, sustenance of vendor DP compliance is ensured through the vendor annual assessments / certification process.

Privacy notices

In line with our values of transparency and accountability, we provide privacy notices at data collection points for both internal and external data subjects.

The privacy statement for external stakeholders (opens in new window) is also publicly available on our website and is routinely updated to reflect changes in data handling practices or applicable laws.

As we continue to build on this foundation, embedding privacy into the design of our systems and services has become a key enabler of both compliance and innovation.

Privacy by design enablement

We believe that privacy should be integrated at the design stage of any process or application that handles personal data. To embed this principle into our organizational DNA, a company-wide strategic program has been undertaken to train our development teams to apply the seven foundational principles of Privacy by Design (PbD) using privacy design strategies, patterns, and Privacy Enhancing Technologies (PETs).

Infosys' Privacy Engineering Center of Excellence has also been rolled out to enable our employees in the PbD space. This not only supports regulatory compliance but also fosters a privacy-first mindset among our engineers. Our ability to design and deliver privacy-conscious solutions is further bolstered by adherence to global benchmarks and certifications.

To strengthen our dedication to Privacy by Design within client engagements, our organization has adopted a comprehensive strategy aimed at enhancing internal capabilities. We have revised and distributed Privacy by Design Cookbooks to our teams, delivering practical guidance and underscoring privacy as a core value in every client interaction.

Building awareness and a culture of privacy

We actively promote a culture of privacy awareness among our employees and stakeholders.

Every year, we celebrate Data Privacy Day with interactive and engaging activities such as quizzes, crosswords, Pictionary games, and 'Chat with the DPO' sessions.

Senior leaders deliver messages that reinforce the importance of privacy across the organization.

Monthly privacy tips — based on real-world scenarios and evolving threat landscapes — are widely shared to deepen organizational understanding.

Participation in our privacy awareness program is mandatory.

Every Infosys employee and sub-contractor is required to complete a role-specific privacy awareness quiz each year to ensure their knowledge stays current and relevant.

This internal commitment is mirrored by our external engagement efforts, through which we shape the broader privacy ecosystem.

The Infosys Data Privacy Office has been actively engaged in advocacy efforts on India's Digital Personal Data Protection Act, 2023, both during development of the regulation and subsequent formulation of the DPDP Rules which were published in November 2025. Every year, we do Privacy Symposium solely to promote knowledge sharing among Privacy professionals and the one in 2025 focused on privacy enhancing technologies that help strengthen compliance to requirements of DPDP Law, where MEITY also participated along with several stakeholders from industry, academia and civil society. We play a key role in shaping data privacy standards globally by participating as working group expert in SC 27 and SC42 committees of ISO and in India by working closely with BIS (Bureau of Indian Standards). We work closely with NASSCOM and DCSI collaborating on privacy initiatives. Infosys DPO is also member of DFFT (Data Free flow with Trust) initiative of OECD working on privacy initiatives.

Privacy performance metrics

We are continuously strengthening our DP measurement framework under the oversight of our DPO. Various metrics are regularly analyzed, reviewed for trends, and presented to senior leadership during the cross-functional quarterly DP Council meetings. Insights from these reviews guide continuous improvement initiatives across the organization.

ISO 27701

Infosys has set a strategic goal to expand its ISO 27701 certification across all relevant global operations in a phased manner in order to achieve enterprise-wide coverage, reinforcing our position as a global leader in privacy governance and ensuring that our privacy practices remain resilient and future-ready.

Cross-jurisdictional compliance

At Infosys, we maintain a robust, enterprise-wide data privacy and compliance framework designed to meet the complex and evolving regulatory requirements across jurisdictions.

Global compliance monitoring

A dedicated compliance team actively monitors global legal and regulatory developments, leveraging inputs from multiple sources, including regulatory databases, industry bodies, law firm alerts, and consulting advisories. This monitoring enables near real-time identification of changes and facilitates timely compliance actions.

Compliance tracking tools and memberships

To operationalize compliance tracking, Infosys employs specialized tools while drawing on memberships with professional organizations, including the International Association of Privacy Professionals (IAPP) and the Association of Corporate Counsel (ACC).

Centralized compliance repository

A centralized compliance repository maps regulatory requirements to business-enabling functions, ensuring consistent implementation across the enterprise.

Data protection impact assessments

We conduct Data Protection Impact Assessments (DPIAs) before initiating new data processing activities or deploying technologies involving personal data. This ensures that privacy-by-design principles are embedded from the outset.

Incident response protocols

Our incident response protocols include pre-defined procedures for notification, assessment, mitigation, and documentation, supporting adherence to cross-border data breach notification obligations.

Global standards and certifications

Infosys has adopted globally recognized protocols to fortify our data privacy practices. We are among the first few organizations worldwide to earn ISO 27701 certification for our privacy information management system. Our efforts to expand this certification across our global delivery centers are ongoing.

Additionally, we recently became the first India-headquartered company to achieve Binding Corporate Rules (BCR) certification from EU data protection authorities. This milestone underscores our commitment to responsible international data transfers and further aligns us with the highest global standards for data privacy compliance.

While governance, design, and certification strengthen our preventive posture, robust response mechanisms are essential for resilience and trust.

Contributions to global privacy standards

Infosys plays an active role in shaping global data privacy standards by participating as a working group expert or editor in ISO SC 27 and SC 42 committees associated with Data Privacy and Artificial Intelligence, respectively. Members of Infosys Data Privacy Office are working group experts in the ISO SC27 and ISO SC42 committees, making active contributions. One of our data privacy professionals is an expert and part of AG9 (Ad hoc Group) on the Gender Responsive Standards Initiative, playing a very important role in ensuring gender diversity in standards development.

Infosys DPO co-edited several standards in the last several years. Members of Infosys DPO are now contributing as editor or expert in following upcoming standards:

ISO 27565

Guidelines on Privacy Preservation using Zero Knowledge Proofs Factor

ISO 27568

Security and Privacy of Digital Twins

ISO 10267

Data Usage – Personal Information Factor

ISO 25569

Implementation Guidance on De-identi cation of data used in Machine Learning

ISO 27574

Privacy in brain computer interface (BCI) applications

ISO 17428

Under revision

India’s Data Privacy Standard

Infosys DPO is member of the OECD DFFT (Data Free flow with trust) Expert Community on PETs – the only member from India at the time of creation of DFFT group.

Data subject rights and breach management

Safeguarding the rights of individuals is fundamental to our privacy strategy. As data subject rights become a core component of regulatory frameworks around the world, we have implemented processes that allow us to address such requests in a timely and compliant manner — even in complex enterprise settings where data exists in multiple formats and geographies. Managing these rights involves careful navigation of overlapping legal exceptions and system limitations, but we remain committed to honoring them. In parallel, we have established a comprehensive incident and breach management framework.

At Infosys, we have robust procedures in place to detect, assess, contain, and resolve data privacy incidents. Our team of dedicated privacy professionals works closely with business units, legal, information security, communications, and external providers to ensure rapid and effective response. For high-impact cases, or those that require it by law, we notify the affected individuals and supervisory authorities, offering full disclosure and support. Such incidents are also reported to our senior leadership via the Incident Disclosure Committee.

Our zero-tolerance approach is reinforced through strict consequence management and preventive action mechanisms, with key lessons integrated into organization-wide awareness campaigns. To ensure these efforts are sustainable, we have prioritized building a strong culture of privacy awareness throughout the organization.

Responsible use of personal data in generative AI

Infosys integrates DP safeguards into all generative AI ldeployments involving personal data. In accordance with our data protection framework and applicable legal requirements, Privacy Impact Assessments (PIAs) are conducted for each deployment.

We implement both technical and organizational controls to ensure responsible data usage and uphold individual privacy rights.

Our governance is further reinforced by global certifications, including ISO 27701 (Privacy Information Management System) and ISO 42001 (AI Management System), which provide structured approaches for compliance and accountability in the evolving AI and data landscape.

Looking ahead: Future-ready data privacy

Infosys’ forward-looking privacy strategy is anchored in innovation, resilience, and global accountability.

As privacy risks increase with the need to embrace emerging technologies including AI, the organization remains committed to treating privacy not only as a compliance mandate, but as a core ethical and enterprise value.

Use of customer data for secondary purposes

Infosys applies strict controls to ensure customer data is used only to deliver services as agreed with the client.

Any use beyond this original purpose requires explicit customer consent or clear contractual authorization. In FY26, no cases of secondary data use were identified that required customer-level reporting or additional disclosure.

Use of customer data – Government and law enforcement requests

Infosys is firmly committed to safeguarding the privacy, confidentiality, and security of all customer data entrusted to it. Infosys processes and discloses customer information only in strict accordance with applicable laws, regulatory requirements, and existing contractual obligations.

Infosys does not permit direct or unrestricted access to customer data by government or law enforcement authorities. Any request for customer information is subject to a rigorous review process to assess its legal validity, scope, and proportionality before any response is provided. Where legally permissible and contractually required, Infosys notifies the relevant client.

Where applicable, Infosys endeavors to redirect such requests to the relevant client, who serves as the data controller, unless doing so is prohibited by law. In circumstances where disclosure is legally mandated, Infosys limits its response to the minimum information necessary to satisfy the legal requirement.

This approach reflects Infosys’ alignment with globally recognized best practices in data governance, ensuring that customer data remains protected through robust legal scrutiny and the principle of minimal disclosure.

Transparency on government requests

For the financial year ended March 31, 2026, the summary of government and law enforcement requests for customer information is:

Metric	FY26
Number of government / law enforcement requests received	0
Percentage of requests resulting in full or partial disclosure	0