Data privacy Governance DP governance ESG REPORT 2022-23 framework ESG is an opportunity At Infosys, the Data Privacy Office plays the role of architect and checker, while business ENVIRONMENT enabling functions and units are the makers, with independent audits being carried out SOCIAL periodically by our Quality team and external Aspirations in DP bodies. Quarterly senior management reviews ensure adequate oversight. We make every effort to protect the personal GOVERNANCE information that comes under our purview. RMC Our data privacy compliance framework is Performance on governance goals based on ISO 27701 with inputs that include Corporate governance LCRC convergence of international best practices, client-prescribed requirements and applicable Data privacy data privacy regulations across geographies. Information management DPC Adopting internationally that complies with DP regulations, leading to supplier-related risks to Infosys. We have market differentiation. The program focuses published comprehensive guidelines for PSC accepted protocols on introducing PbD strategies, patterns and suppliers / vendors to ensure that they adhere guidelines to integrate privacy principles and to strict obligations imposed by contracts Risk Management Committee Data Privacy Council We are among the first few organizations requirements into solutions and platforms and applicable laws of the land, during their Legal Compliance and Risk Council Privacy Sub-Council globally, to have our framework certified development. To institutionalize privacy by engagement with Infosys and its subsidiaries. with accreditation, for ISO 27701 privacy design, a two-phased enabling program is The Infosys Supplier Code of Conduct is • Privacy Sub-Council information management standard. We intend under way. In phase one, foundational and mandated across all essential suppliers (Comprises nominated individuals from to increase the coverage of the certification intermediate courses on privacy by design involved in processing of personal data, along business enabling functions and Delivery) across the enterprise in phases. were designed and enabled for all employees with necessary data processing clauses which • Data Privacy Council globally. Phase two is focusing on taking the are agreed prior to their onboarding. Assurance (Comprises heads of business enabling Privacy by Design (PbD) privacy by design implementation to clients. is further demonstrated through due diligence functions and business units) EPIC program Vendor DP guidelines and annual assessments. • Legal Compliance and Risk Council Robust incident management (General Counsel, CFO and CRO are key Anticipating the need to make privacy an Vendor DP management of our extended members) integral part of any process or application entities has assumed strategic significance and breach handling • Risk Management Committee dealing with personal data, an organization- in the current scenario of third-party risks, (Chaired by an independent director) wide strategic initiative named EPIC given the increasing volume of data breaches, At Infosys, we have robust mechanisms to (Embedding Privacy by design into Infosys and enterprise dependency on outsourcing detect, assess, contain and manage data Culture) was rolled out in early 2022 by including cloud service providers. Suppliers privacy breaches and incidents with well- the DPO in collaboration with Quality and present difficult and unique privacy and defined processes and procedures to respond Delivery functions. EPIC embeds PbD into the cyber security challenges. Compliance with to breach notifications within defined timelines solution development process at Infosys to diverse data protection laws across the world in accordance with the laws of the land. If an enable responsible data-centric innovation requires an effective mechanism for managing incident or a breach is determined to be of Infosys | ESG REPORT 2022-23 External Document © 2023 Infosys Limited 61