Accenture’s approach to schrems II

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment stating the current EU US Privacy Shield agreement is no longer a valid safeguard for transferring personal data from the EU to the US. This decision is known as “Schrems II,” as it references Maximilian Schrems, the principal plaintiff and privacy defendant responsible for raising this issue for court review and judgment.

Accenture treats privacy as a fundamental right for all individuals, and as a responsible and ethical company we take the protection of personal data very seriously. While Accenture has a strong data privacy program, Schrems II requires organizations to take further actions around data protection. Specifically, when moving personal data to most countries outside of the European Economic Area (EEA), organizations need to conduct a so-called Transfer Impact Assessment (“TIA”), if there is a risk the data can be accessed and ultimately exposed to foreign authorities. Should an increased risk of exposure exist, specific “supplementary measures” to mitigate the risk need to be applied.

Accenture has assessed our current compliance approach and standards, consulting with our external legal counsel to confirm if our process addresses the Schrems II requirements. Based on our review, as well as the standard supplementary measures and controlled clauses currently embedded into our process, we believe we are well positioned to continue to deliver our services in a consistent manner as we do today.

Certified secure

• Accenture maintains a global data privacy program closely aligned to GDPR upholding a consistent, global client and business data protection standard. Information Security and Privacy Information Management Systems share complementary security and data privacy controls.
  
  
• Our Client Data Protection program provides project teams with a standardized approach to managing risk through a set of processes, controls, and metrics. This ISO 27001/27701 certified program focuses on safeguarding client data.

Technical architecture

Accenture has over 50,000 physical and virtual servers, operating 95 percent of its business applications in the cloud. Accenture’s Security Operations Center (SOC) uses some of the most advanced security technologies to monitor and hunt threats across the enterprise, that in turn help implement data protection solutions at speed and scale. Such an approach includes:

• Real-time threat detection and compliance reporting conducted through Security Information and Event Management (SIEM).
  
  
• Vulnerability management to remove malware and effectively patch vulnerabilities, closing the attack surface proactively and preventing penetration of the network.
  
  
• Agent-based distributed hunting to search for malware and indicators of compromise, allowing us if needed, to remediate the issue within minutes versus hours.

Potential government requests for client data

To prepare for future eventualities, Accenture has expanded its proven and tested incident management approach and procedures to also cover government requests for personal information. Should we receive any such request defined broad and indiscriminate government request for personal information, the request is tracked through a central intake process and managed centrally by Accenture´s specialized legal and forensics teams and under the supervision of the Director of Cybersecurity and Data Integrity.

As a matter of principle, Accenture will not hand over personal data without a valid government order or warrant and it will take reasonable steps to challenge a government order or a warrant if Accenture´s specialized internal teams and external advisors identify legal deficiencies with such order or warrant.

If a government request relates to client data for which Accenture is the processor, Accenture will notify the client of the request and align potential further steps with the client unless applicable law prohibits a disclosure or immediate action is required. If Accenture is prohibited to inform the client, it will request that the government or authority will inform the client directly.

Transfer Impact Assessments (TIA)

Our process includes:

1. Analysis of the applicable laws in the destination countries. Relevant laws and practices of a destination country are reviewed to identify if they are clear, proportionate, have effective remedies and independent oversight.
   
   
2. Characteristics of the specific data transfer - Includes the types of data, entities involved and their industry sectors, purposes of transfer/processing, any onward transfers, storage vs access, circumstances of the transfer, regularity, physical transfer or access only
   
   
3. Overall risk assessment - considering the characteristics of the data transfer and the laws of the Third Country, understand the risk profile of the proposed transfer.
   
   
4. Safeguards implemented (i.e. supplementary measures) - where needed, technical, organisational or legal measures to ensure that the protection for people whose personal data is transferred to a destination country where protection for individuals is essential.

Supplementary safeguards in our data protection

Technical measures

• Proper Encryption Algorithm and Key Management Strategy
  
• Privileged Access Management
• Data Leakage Prevention
• Data Classification
• Logging & Monitoring

Organizational measures

• Procedure about the Handling of Government Requests for Personal Data
  
  
• Internal Policies – set allocation of responsibilities
  
  
• Minimization Measures – assess to identify personal data strictly necessary for the transfer
  
  
• Transparency Measures – documentation of requests to data importers available
  
  
• Standards and Best Practices – e.g. data security and privacy policies; ISO Norms; ENISA

Legal measures

• Certification re: lack of back doors/similar programming easing the access to personal data
  
  
• Implementation of procedures for changes in law notification and swift suspension of the data transfer
  
  
• Agreement on notifications to clients where permitted

Award-winning employee security training

• All Employees – Mandatory global IS Advocate Training Program and Data Privacy training
  Driving global awareness and adoption of secure behaviors with interactive, gamified learning.
  
  
• High Priority Groups – Targeted IS Training Tracks
  Targeting key topics for high-risk groups such as new hires, technology delivery roles, Leadership, HR, and others.
  
  
• Client Account Roles - Client Data Protection (CDP) Training
  Improving effectiveness and compliance of CDP through role-specific security training for critical roles.

Supplier Security Management

Accenture’s approach to supplier contracting includes a thorough due diligence process to identify DP/IS risks addressed contractually and monitored operationally through the life of the contract.

1. Conduct Data Privacy, Transfer Impact Assessments, and Information Security Risk Profiling Evaluation
   
   
2. Determine level of supplier IS risk – 1 of 3 ratings - Low, Above Normal and High
   
   
3. Conduct a Supplier Security Assessment (SSA) for suppliers with heightened levels of IS risk
   
   
4. Agree to security controls, operational processes and –where required- supplementary measures in the supplier contract
   
   
5. Monitor supplier performance through the life of the contract. Correct non-compliance