Our GDPR Journey

Read more about how Genpact protects your privacy

  • Facebook
  • Twitter
  • Linkedin
  • Email

General Data Protection Regulation (GDPR) is here, and has revolutionized organizations’ outlook on data privacy.  Here’s what we have done.

GDPR: A bird’s eye view

What is GDPR?
General Data Protection Regulation (GDPR), is the new data privacy regulation which replaces the Data Protection Directive. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

How did GDPR evolve?

  • 2012: GDPR proposed by European Commission in place of EU Directive
  • 2015: Approved by European Council & Parliament
  • 2016-17: Adoption of Regulation & Implementation Phase
  • 25th May 2018: Enforcement of Regulations

How is GDPR applicable?
Simply put, GDPR is applicable to every organization that processes European personal data both inside and outside Europe. If you’re still wondering if the GDPR applies to you, here are some points to consider:

  • Do you process personal data?
  • Is your organization located in the European Union?
  • Is your organization located outside the EU and does it offer goods or services, either for a price or for free, to individuals residing in the EU?
  • Is your organization located outside the EU and does it monitor any behavior taking place in the EU?
  • Is your organization located outside the EU, but has an establishment in the EU with some processing activity related to that EU establishment?

What are the foundational principles of GDPR? (6 principles)
The GDPR is based on 6 privacy principles:

1. Lawfulness, fairness and transparency:

  • Maintain transparency and communicate to induviduals on how thier personal data shall be processed.
  • Commit to ensuring that the personal data is only processed in accordance to what was communicated.
  • Ensure that the processing activity is lawfull and meets the lawfulness criteria mentioned in GDPR [Articles 6 to 10]

2. Purpose Limitation:

  • Personal data shall be collected for "specified, explicit and legitimate purposes" and only processed in a manner communicated to the data subjects and not for any other additional purpose without further consent of data subject.

3. Data Minimization:

  • Ensure that personal data processed is "adequate, relevant and limited" to the purposes for which they are processed.

4. Data Accuracy:

  • Implement measures to ensure that the personal data is kept accurate and, where necessary, kept up to date.
  • Take reasonable steps personal data, where found to be inaccurate, are erased or rectified without delay.

5. Storage Limitation:

  • Ensure that personal data is not retained longer than is necessary for the purposes for which the personal data are processed.

6. Integrity and Confidentiality:

  • Implement adequate safeguards to protect the personal data from any unlawful processing, loss, destruction or damage.

What are the changes brought about by the GDPR

  • Wider Scope: The GDPR is not just applicable to EU organisations, but to any business that manages or processes personal information of EU citizens.
  • Data Processors: Both data controllers and processors are now jointly responsible for complying with the new rules. Data Processors are now subject to additional obligations
  • Data Subject Rights: The GDPR retains the existing rights for data subject, and creates new rights such as right to erasure, right against profiling, right to Data Portability
  • Privacy Impact Assessment (PIA): Privacy Impact Assessments (PIA) must be conducted for any risky or large scale processing of personal data
  • Breach Notification: Organizations now have to report data breaches to individuals who were affected, and to a supervisory authority within 72 hours.

Where can you learn more about GDPR?

Our commitment
We at Genpact, welcome the regulation and envision this as an opportunity to transform our business practices, delivering value and ‘Generating Impact’ in the community around us. Genpact believes that the GDPR is not just a journey for compliance but an opportunity to reinforce our commitments in respecting the privacy and upholding the data protection rights of all individuals associated with us.

Data Privacy and Protection is one of the core principles that we embed into our business processes, products and services delivered by us. We have aligned our services and data handling processes to global standards and are committed to honoring, respecting and protecting the privacy of our employees, contractors, business partners, customers as well as our visitors.

How have we addressed your privacy concerns?
We understand the different concerns you may have about how we handle your personal data. We have taken an in-depth look at your concerns, and taken a risk based approach to address all of them.

Strategy & Governance: We understand that our leaders have to be responsible and accountable for handling personal data. We have nominated a steering committee to pioneer our GDPR initiative. We have also established a Data Privacy Team led by our Data Protection Officer to govern and manage your personal data.

Lawful Processing: We understand that your personal data has to be used for a lawful purpose and in a fair and transparent manner. We have developed simple and clear notices for you to understand how we handle your personal data. Please refer to our section below ('Note to our data subjects') to see our Privacy notices.

Policy Management: We recognize the need to standardize how we handle your personal data. We have updated our policies, procedures and guidelines to provide everyone in our organizations a systematic and mature approach to handle your personal data.

Data Transfer: We understand that your personal data may be at risk when it is being transferred to different countries. Where we transfer personal data outside of EU, we either transfer personal data to countries that provide an adequate level of protection (as determined by the European Commission) or we have appropriate safeguards, as allowed under GDPR, are in place. For details on our data transfer practices, please refer to our section below ('Note to our data subjects') to see our Privacy notices.

Data Subject Rights: We respect your right to exercise control over the personal data you have provided us. We have established a robust process to receive and fulfil requests from you to access, rectify, restrict, or erase your personal data. Please refer to our section below ('Note to our data subjects') to read our Privacy notices and to understand how you may submit a data subject request.

Privacy by Design: We value your privacy over your personal data, and understand that we need to consider your privacy during every stage of our processes. We have redesigned our approach to safeguard your privacy from the ground-up while designing systems and processes.

Data Security: We recognize the need to secure your personal data using all possible measures. We have implemented robust security measures to ensure the confidentiality, integrity and availability of your personal data. We are compliant with industry leading standards such as ISO-27001, PCI-DSS and NIST.

Data Breaches: We are committed to safeguard your personal data and have implemented robust security measures to ensure the same. We have invested into building state of the art solutions that enables timely detection and prevention of any unusual/ malicious activities. We have established processes to maintain transparent and timely communication with you about the breach and the steps we have taken to resolve it.

Vendor Management: We understand that it is our responsibility to protect your personal data provided to us, irrespective of whose assistance we use to process it. We are responsible to ensure that we partner with organizations who have the same commitment as us while handling your personal data. We have established a centralized vendor governance office who will choose the right partners and monitor them on a regular basis during our ongoing relationship with them.

Training & Awareness: We recognize the need to educate, and instill a commitment to protect your privacy among everyone handling your personal data, including our employees and sub-contractors. We have mandated data privacy and security trainings to all our employees and sub-contractors, and instructed our leaders to propagate the values to protect your privacy from the top-down.

Note to our data subjects
We, at Genpact, respect you and are committed to honoring and protecting your privacy, we treat personal data in accordance with data protection laws and the purpose of the documents below is to make sure you are aware of what personal data we collect, how we use and take care of your personal data. 

Website Privacy Notice

Privacy Notice for Customers

Privacy Notice for Employment Candidates

Privacy Notice for Individual Contractors

List of Partners and Suppliers associated with Genpact

Note to Our Customers