Evolving notion of privacy
At Infosys, privacy has always been a primary expectation to avoid unwanted intrusion into one’sprivate space. But in the digital world where we live today, the very notion of private space has undergone drastic changes. Advancements in computing technologies and innovation has made it easier to glean our digital footprints from various sensors, wearables, website cookies, smartphone location to name a few, often without our knowledge or choice. Rich insights obtained from these may benefit us but could also intrude into our decisional autonomy, with the line between the two increasingly getting blurred. Hence as an organization, we make the right design choices that strike a balance between innovation and privacy, with complete transparency, while engineering solutions.
Approach to sustained data privacy compliance
At Infosys, we constituted the data privacy function over a decade ago and it functions as an independent business enabling function reporting to General Counsel. We complied with all applicable data privacy regulations in fiscal 2022 in building applications, platforms, or while executing client projects, by introducing appropriate privacy safeguards. To demonstrate our top management’s commitment to privacy, we have formulated the data privacy policy and published the same on intranet. In order to ensure complete transparency, we provide privacy notices at the time of data collection to both internal and external data subjects and privacy statement is also made available for external data subjects on public domain. These are constantly strengthened to reflect the changes in personal data processing or DP regulations.
Data Privacy Governance Framework
At Infosys, Data Privacy Office plays the role of architect and checker, while Business Enabling Functions and units are the makers, with independent audits being carried out periodically by our Quality team and external bodies to validate the effectiveness of the data privacy controls we deployed. Regular Senior Management reviews ensure adequate oversight.
- Privacy Sub-council (comprises nominated individuals from Business Enabling Functions and Delivery)
- Data Privacy Council (comprises Business Enabling Functions and Unit heads)
- Legal and Compliance Risk Council (General Counsel, CFO and CRO are key members)
- Risk Management Committee of the Board (RMC)
Aspirations in data privacy
We make every effort to protect the personal information that comes under our purview. Our data privacy compliance framework is the convergence of international best practices, client-prescribed requirements and applicable data privacy regulations across geographies.
Adopting internationally accepted protocols
We are among the first few organizations globally, to have our framework certified with accreditation, for ISO 27701 privacy information management standard. The objective is to gradually increase the coverage in a phased manner.
Privacy by design EPIC program
Anticipating the need for making privacy an integral part of application development, an organization-wide strategic initiative named EPIC (Embedding Privacy by Design into Infosys Culture) has been rolled out by the Infosys Data Privacy Office in collaboration with Quality team, to embed privacy by design into the solution development process at Infosys which enables and promotes responsible data-centric innovation that complies with data privacy regulations in a way that meets both end-user and client expectations, leading to market differentiation. This program focuses on introducing privacy design strategies, patterns and guidelines to integrate privacy principles and requirements into solutions and platforms development environment. This will also help engineers in making the right design trade off in order to proactively ensure that privacy is a positive sum game.
Privacy impact assessment tool
Keeping in view the large-scale personal data processing involved, we use tools and technologies to institutionalize data privacy practices and controls across the enterprise. Over the years, the growing awareness and education on data privacy among stakeholders has contributed to a more robust process. To make our processes compliant to privacy laws and embed privacy into the design of our systems, Data Privacy Impact Assessments are conducted for every new process or when there is a change in the existing process, which involves processing of PII / SPI. To standardize and automate this process across organization, we developed an in-house tool to recommend customized data privacy controls to the business enabling functions and ensure its effective implementation.
Vendor data privacy guidelines
Vendor data privacy management has assumed strategic significance in data protection and privacy programs, given increasing dependency on outsourcing including cloud service providers. Suppliers present difficult and unique privacy and cybersecurity challenges. Compliance with diverse Data Protection Laws across the world requires an effective mechanism for managing supplier related risks to Infosys. We have published comprehensive guidelines for the suppliers/ vendors to ensure that they adhere to strict obligations imposed both under contracts and from applicable laws of the land, during their engagement with Infosys and its subsidiaries.
Robust incident management and breach handling
At Infosys, we have robust mechanisms to detect, assess, contain and manage data privacy breaches and incidents and well defined processes and procedures to respond to breach notification obligations within defined timelines in accordance with laws of the land. If an incident or a breach is determined to be of high impact, or if the law of land mandates, such breaches are notified to the impacted data subjects and / or supervisory authority. We also incorporate key learnings from incidents by including similar scenarios in privacy awareness stories and tips sent to employees. In fiscal 2022, there were no substantiated complaints received concerning breaches of customer privacy from outside parties and regulatory authorities. There was only one breach identified during the reporting period, outside the organization and where users were notified of the breach.
Data subject rights process
Of late, data subject rights have become an intrinsic part of data privacy laws in many countries. These rights are legally enforceable, but they are never absolute in nature, which makes the fulfilment all the more complex. Infosys has established necessary tools and processes to cater to such data subject rights requests within the stipulated timelines.
Raising Data Privacy awareness through campaigns and events
Every year, we celebrate Data Privacy Day by hosting engaging interventions and diverse online interactive events like crossword, quiz, chat with DPO, messages from senior leaders, among others to spread awareness. The events span over several months and reward mechanisms are in place to promote participation. Additionally, monthly awareness mailers in the form of privacy tips and stories are also sent to everyone in the organization to strengthen awareness. We conducted Privacy Symposium 2021, a maiden virtual conference organized by the Infosys Data Privacy Office in association with IAPP, where participants connected with privacy leaders, CPOs, experts from academia, global frontline practitioners to reflect on key trends, challenges, and best practices. Some of the sessions organized as part of this included privacy engineering, such as anonymization, privacy preserving synthetic data, AI & data ethics and human behavior, privacy standards, data subject rights and other emerging areas. A similar symposium is planned in 2022 in collaboration with international bodies. All employees and sub-contractors have to also mandatorily complete a privacy awareness quiz annually.
Member of IAPP
Our CPO is also a member of the Privacy Engineering Advisory Board of the International Association of Privacy Professionals (IAPP)
Driving thought leadership in data privacy
Infosys Data Privacy Office recognizes the need for engagement with the industry and government bodies in shaping the future of data privacy and towards this, it actively participates and contributes in various initiatives with industry forums and standard bodies globally, helping them develop data privacy frameworks, policies and standards. Some of our senior leaders from the DPO are on the Advisory Board of the International Association of Privacy Professionals (IAPP) and play a role in the data privacy agenda. Infosys DPO is also co-editor for ISO and IEEE Data Privacy Standards related to Privacy Management and Privacy in Emerging technologies, some of which are published while others are being developed.