At Genpact, we value our customer’s security and privacy and believe that you have a right to know how your information is processed and secured. As we help our customers drive digital transformation with our products and services, ensuring this is done securely and in compliance with regulations is a critical area of focus for us. We also recognize that our products and services have to be designed to help our clients meet their security and privacy commitments to their customers.
As part of our compliance with GDPR, we have outlined below some of the key principles, processes and capabilities developed for our digital solutions. We believe the configuration and execution of these capabilities in conjunction with related processes, will enable organizations achieve a compliant posture. We recognize that there will be additional nuances based on factors like type of digital solution, delivery model, solution architecture, and will be happy to work with you to provide more granular solutions that are relevant for you. We understand that in cases like a cloud delivery model involving additional partners, security and compliance is a shared responsibility, and are committed to working together to build a robust framework.
Key Principles for GDPR Compliance
Privacy by Design: We have assessed and are implementing reasonable capabilities to embed data privacy and data protection in our products and services. These will be aligned to the solution we offer and agree with our customers. These capabilities, combined with associated systems and processes will drive our GDPR readiness.
Information Security: Genpact has a comprehensive information security framework and our information security program is certified to ISO 27001. Key principles of our program include adopting a layered “defense in depth” approach, and focusing on people, process, technologies and partnerships as key components of the program. We are committed to ensuring our digital solutions and underlying cloud hosting platforms have robust security capabilities, supported by operational controls
Training and Awareness: We have a comprehensive data privacy & security training in place for employees, supplemented by additional awareness measures. These include specialized training for our development teams in aspects like secure coding principles.
Contractual Compliance: We have updated our contract templates and established our commitments to adhere the GDPR principles.
Third party vendors: Genpact has a Vendor Governance Office responsible for ongoing governance and risk assessment of our vendors. As part of this process, Genpact:
- Carries out due-diligence, which includes assessment of the data privacy and data security stature of the vendors prior to selection/ empanelment.
- Has a process to review the contractual agreements signed with empaneled vendor data protection clauses as required by GDPR and other privacy laws and in alignment to Genpact's data protection policies.
- Establish processes for periodic review of the security and compliance postures of our key vendors
Additionally, as a Data Processor, we have implemented processes to ensure client approval/ authorization is obtained prior vendor onboarding to support contract/ service fulfilment.
Cross Border data transfer: The European Commission allows the use standard contractual/data protection clauses to transfer personal data outside EU. Please visit http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF to know more about standard contractual/data protection clauses.
Genpact is willing to commit to standard contractual/ data protection clauses during contract sign-off to allow for authorized transfer of EU PII to our delivery centers located outside Europe. Genpact has also executed standard contractual clauses, via intergroup agreements and participation agreements to cover all Genpact entities. This would facilitate authorized transfers, compliant to GDPR, outside our Europe delivery centers
Records of Processing: We have developed processes to ensure documented records of processing are maintained in line with Article 30 requirements of the GDPR.
Data Breach Management: We have established a data breach management process to ensure timely identification, handling and notification of data breaches in line with our contractual commitments.
Data Subject Rights: We are committed to ensure compliance to regulatory and contractual requirements related to data subject rights.
Privacy Impact Assessments: We have process in place to conduct Privacy Impact Assessments (PIA) for projects carrying out ‘High’ risk processes.