group data protection policy

Group Data Protection Policy

2

GHL-DG005

Draft Group Data Protection Policy

Policy Title Group Data Protection Policy

Policy Owner Chief Data Officer

Prepared by & Date Prepared

Approved by & Date Approved

BU Heads

Date Effective From Apr 2021

Policy Review Mar 2021

Policy ID GHL-DG005

Table of Contents

1. Background 2. Purpose 3. Scope 4. Definitions 5. Policy Statement 6. Roles and Responsibilities 7. Enforcement 8. Policy Administration 9. Other related policies 10. Version History 11. Appendix A - Guardian Group Data Protection Principles 12. Appendix B - Guardian Group’s Data Protection Management Program Framework 13. Appendix C - Guardian Group’s Data Protection Management Program Federated Governance

Model

Naresh Mongroo (Mar 17, 2021 12:38 EDT)Naresh Mongroo

Ravi Tewari (Mar 17, 2021 12:49 EDT)Ravi Tewari

Alan Sadler (Mar 17, 2021 14:46 EDT)Alan Sadler

Anand Pascal (Mar 17, 2021 14:57 EDT)Anand Pascal

Karen Bhoorasingh (Mar 17, 2021 15:00 CDT)

Dean Romany (Mar 18, 2021 09:52 EDT)Dean Romany

Brent Ford (Mar 24, 2021 11:12 EDT)Brent Ford

https://na2.documents.adobe.com/verifier?tx=CBJCHBCAABAAUobZOzOT0ZTzAXaXRbTweT37yJ7fwsVC




https://na2.documents.adobe.com/verifier?tx=CBJCHBCAABAAEXX9PnTJW3MQN6k6CI1FhNkPbGsEgDIn







3

GHL-DG005


1. BACKGROUND

The Guardian Group (the Group) recognises the importance of ensuring that the organisation is

compliant with requisite Data Protection laws that regulate several of our Business Units.

A vital part of being compliant with these respective laws is our commitment to be transparent

about the ways we protect the personal data entrusted to us by our customers and team

members. Specifically, we are accountable for:

developing a governance structure that promotes and values privacy and that enables every

one of our team members to make the right decisions, every day, about how to respect

privacy when handling personal data;

ensuring that we properly identify and mitigate privacy risks throughout our operations, in

part by striving to apply the principles of Privacy by Design in the development and review of

our products and services; and

earning and maintaining our customers’ and team members’ trust by being transparent about

how we handle personal information and by offering choices where it is appropriate to do so.

2. PURPOSE

The Group (as a Data Controller) considers the safeguarding of data protection rights as part of its

social and legal responsibility. In some countries in which we operate, legislators have defined

standards for protecting the data of natural persons (“personal data”), including the requirement

that such data may only be transferred to other countries if the local law applicable at the place

of destination provides for an adequate level of data protection.

3. SCOPE

The Group Data Protection Policy and associated policies, procedures and standards are

applicable on an enterprise-wide basis to all of the Group’s critical data assets (regardless of the

system in which the data are stored). It is applicable to all Companies and individuals across the

Group who use or control the Group’s Information Resources. This includes:

Board of Directors

All employees of the Group, whether employed on a full-time or part-time basis;

All previous employees of the Group, whether employed on a full-time or part-time

basis;

All job applicants for various positions within the Group;

All contractors, service providers, suppliers, and other people working on behalf of or

engaged by the Group

4

GHL-DG005


Any other data subjects identified through regular course of business by the Group.

4. DEFINITIONS

4.1. Binding Corporate Rules – Legally binding and enforceable internal rules and policies for data

transfers within multinational group companies. These work in a way somewhat similar to an

internal code of conduct.

4.2. Data Controller – A natural or legal person, public authority, agency or other body which, alone

or jointly with others, determines the purposes and means of the processing of personal data.

4.3. Data Processors – A natural or legal person, public authority, agency or other body which

processes personal data on behalf of the Group.

4.4. Data Processing – Any operation or set of operations which is performed on personal data or on

sets of personal data, whether or not by automated means, such as collection, recording,

organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or

combination, restriction, erasure or destruction.

4.5. Data Protection Impact Assessment – A process to help identify and minimise the data

protection risks of a project.

4.6. Data Protection Officer – Ensures, in an independent manner, that an organisation applies the

laws protecting individuals' personal data.

4.7. Data Subject – The identified or identifiable living individual to whom personal data relates.

4.8. Personal Data – Any information relating to an identified or identifiable natural person. an

identifiable natural person is one who can be identified, directly or indirectly, by reference to an

identifier such as a name, an identification number, location data etc.

4.9. Privacy by Design - A concept that integrates privacy into the creation and operation of new

devices, IT systems, networked infrastructure, and even corporate policies. Developing and

integrating privacy solutions in the early phases of a project identifies any potential problems at

an early stage to prevent them in the long run.

4.10. Standard Contractual Clauses – Are standard sets of contractual terms and conditions which the

sender and the receiver of personal data both sign up to, aimed at protecting personal data

leaving the Groups operational jurisdiction through contractual obligations in compliance with

Data Protection legal requirements in territories which are not considered to offer adequate

protection to the rights and freedoms of data subjects.

5

GHL-DG005


5. POLICY STATEMENT

This Policy establishes the common principles and guidelines for conduct that are to govern the

Group regarding personal data protection, ensuring compliance with applicable law under all

circumstances. To support compliance with appropriate standards and laws this data must be

managed using sound data protection principles. This policy endorses the Group’s Data Protection

Principles (refer Appendix A).

5.1. Data Protection Framework

Personal Data is a strategic asset, as such the Group would implement a Data Protection

Management Framework (refer Appendix B) to ensure that appropriate authority and

controls are applied, and that personal data is managed in compliance with all legislative and

other compliance obligations in territories where we operate.

5.2. Data Protection Policy

A Data Protection Policy (this document) would be maintained by the Chief Data Officer,

approved by the Data Governance Council, and published and communicated to all relevant

employees and relevant external parties.

5.3. Collecting and Processing Personal Data

Data subjects would be made aware at the point of collection what data is being collected,

the purpose for collecting the data specified, whether it will be shared with any third parties

etc. via privacy notices.

Privacy notices would be included on all physical forms used to collect information as well as

websites, apps intranet, etc. Additionally, when reviewing the different methods used to

collect personal data, the Group will always consider whether a privacy notice should be

included and added where needed.

All personal data shall be processed in a lawful manner and in good faith in keeping with

international standards and the respective regulations of the territories in which Guardian

Group operates.

Where the Group collects personal data from third parties (for example, beneficiary

information, emergency contact etc), those data subject’s personal data would be processed

to the same principle and standards as prescribed within this policy.

Where the personal data is in relation to a child, the Group would ensure that proper consent

is received from the parent, legal guardian or legal representative of the child before the data

is collected or processed.

6

GHL-DG005


5.4. Data Quality

The Group will adopt all necessary measures to ensure that the Personal Data it collects and

processes is complete and accurate in the first instance and is updated to reflect the current

situation of the Data Subject. The measures would include:

o Correcting personal data known to be incorrect, inaccurate, incomplete, ambiguous,

misleading or outdated, even if the Data Subject does not request rectification.

o Keeping personal data only for the period necessary to satisfy the permitted uses or

applicable statutory retention period.

o The removal of personal data if in violation of any of the Data Protection principles

or if the personal data is no longer required.

o Restriction, rather than deletion of personal data, insofar as:

a law prohibits erasure.

erasure would impair legitimate interests of the Data Subject.

the Data Subject disputes that their personal data is correct and it cannot be

clearly ascertained whether their information is correct or incorrect.

5.5. Data Subject Rights

The Group recognises the rights that all data subjects have in relation to how their personal

data is collected, used, shared, stored and discarded in accordance with the relevant Data

Protection legislation and regulations of the territories in which we operate.

All personal data that is requested from the Group and its respective Business Units will be

provided to the data subject in a concise, transparent, intelligible and easily accessible form,

using clear and plain language in keeping with the Group’s Data Subject Request Policy.

5.6. Privacy by Design, Privacy by Default

The Group shall adopt the principle of Privacy by Design and Privacy by Default and will

ensure:

o that any initiative that involves processing personal data must be done with data

protection and privacy in mind at every step. This includes internal projects, product

development, software development, IT systems etc;

o once a product or service has been released to the public, the strictest privacy

settings should apply by default, without any manual input from the end user;

o when new projects involving personal data are being developed both at the Group

and individual Business Unit level a Data Privacy Impact Assessments will be carried

out by the Project Manager and reviewed by the Data Protection Officer in order to

assess any privacy risks to data subjects and the organisation;

7

GHL-DG005


o collecting, disclosing and retaining the minimum personal data for the minimum

time necessary for the purpose;

o anonymising personal data wherever necessary and appropriate.

5.7. Sharing of Data

Personal data will not be shared with any third-parties external to the Group (either locally or

internationally) without a valid business reason and/or legal reason. Where required we will

notify individuals that the sharing will take place in the form of a privacy notice. If any new

purposes for the data sharing are to take place, we will seek consent from the individuals

concerned.

When personal data is to be shared with a third parties external to the Group locally, a Data

Sharing Agreement will be implemented to ensure that adequate protection is given to that

data so that the Group meets its data protection obligations and protects the rights of the

individuals involved.

Any data sharing will also take into consideration:

o any statutory basis of the proposed information sharing,

o whether the sharing is justified,

o due diligence checks on the third party,

o how to maintain the security of the data being shared.

Where the data is shared with a third party external to the Group internationally, the

provisions under section 5.11 would also apply.

5.8. Data Protection Breaches

The Group will take all necessary steps to reduce the impact of incidents involving personal

data by following the Data Security Breach Management Procedure. Where a data breach is

likely to result in a risk to the rights and freedoms of data subject, the Group’s Data Protection

Officer (DPO) will liaise with the respective Business Unit DPO and the Regulator and report

the breach within the time specified by the respective jurisdiction. The Group DPO will also

advise, where necessary, actions to inform data subjects and reduce risks to their privacy

arising from the breach.

All employees and contractors of the Group who discover a personal data security breach

shall also take the necessary steps as outlined in the procedure to immediately inform the

relevant Head of Department/Unit or project manager who will contact the Group and or

Business Unit DPO following the above procedure.

8

GHL-DG005


5.9. Data Security

We will take proportionate technical, physical and organisational measures consistent with

the Group’s IT Security Policies to ensure that all personal and sensitive personal data is held

securely and protected from destruction, loss, unauthorised access and disclosure.

Appropriate obligations will be incorporated into contracts with third parties.

5.10. Joint Controllership

In the event that multiple Business Units (joint controllers) jointly define the means and purposes

of processing personal data (along with one or more third parties, if applicable), the Group shall

conclude an agreement that stipulates their duties and responsibilities to the data subject whose

data they process.

Intra-group international data transfers will be subject to legally binding agreements referred to

as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.

5.11. Transfer of Data outside of the jurisdiction in which we operate

Transfers of personal data outside of the territories in which we operate will be carefully

reviewed prior to the transfer taking place to ensure that they fall within the limits imposed

by the relevant Data Protection Regulations, particularly the adequacy of the safeguards for

personal data applicable in the receiving country. Suitable tools can be:

o Agreement on standard contractual clauses,

o Recognition of binding corporate rules of the recipient to create an adequate level

of data protection by the responsible supervisory authorities.

5.12. Third Party Data Processors

External agencies contracted to undertake any data processing on behalf of the Group or

Business Units will be required to demonstrate compliance with the relevant Data Protection

practices of the Group as well as regulations in territories where we operate. This will include

satisfying that they have the necessary technical and organisational measures in place to

protect personal data.

9

GHL-DG005


5.13. Training

Oversight for training and development would be carried out by the Office of the Chief Data

Officer and the Group Data Protection Officer. Business Units would provide support,

assistance, advice and training to all relevant departments, offices and staff to ensure they

are in a position to comply with the legislation. The Group’s DPO would assist the relevant

departments and Business Units in complying with the relevant Data Protection legislation.

6. ROLES AND RESPONSIBILITIES

Data protection compliance is a cooperative effort; the success of the program depends on

collaboration between key stakeholders. The Data Protection Management Programme (DPMP)

would be managed via a federated model (refer Appendix C).

6.1. Data Governance Committee

The DPMP and the framework, and the governance structure that supports it, are part of the

backbone of the Group’s overall data governance framework and ground accountable

decision-making around data. The Governance committee would approve all relevant data

protection related policies, procedures and standards, monitor compliance and recommend

solutions to issues relating to data protection within the Group.

6.2. Office of the Chief Data Officer

While accountability for data protection at the operational level ultimately resides with the

Chief Executive Officer, day-to-day operational functions have been formally delegated to the

office of the Chief Data Officer. The office is charged with operationalising the Group’s

commitment to earn and maintain the trust of our clients and other stakeholders when it

comes to how we handle personal data.

6.3. Group and (where applicable) Business Unit Data Protection Officer

The Data Protection Officer (DPO) is responsible for educating the company and its employees

about compliance, training staff involved in data processing, and conducting regular privacy

audits. The DPO also serves as the point of contact between the company and any Data

Protection Authority that oversee activities related to Data Protection in the jurisdictions in

which we operate. The DPO’s responsibilities include, but are not limited to, the following:

o educating the company and employees on important compliance requirements

o privacy training staff involved in data processing

o conducting audits to ensure compliance and address potential issues proactively

10

GHL-DG005


o serving as the point of contact between the Group and the relevant Data Protection

Authorities

o monitoring performance and providing advice on the impact of data protection

efforts

o maintaining comprehensive records of all data processing activities conducted by

the company, including the purposes of all processing activities, which must be made

public on request

o interfacing with data subjects to inform them about how their data is being used,

their right to have their personal data erased, and what measures the company has

put in place to protect their personal information

6.4. Data Protection Coordinator

Support the work of the DPO within the respective Business Units.

Lead the respective Business Unit Privacy Team.

Advise departments within their respective Business Units on privacy-related concerns and

obligations.

Work at the direction of the DPO to develop and implement the needed controls and

measures to ensure compliance and structure and conduct privacy trainings to raise the

privacy awareness among employees.

6.5. Privacy Working Group

The Privacy Working Group would be established with the current federated Group Data

Governance operational model. The Group would focus on establishing and strengthening the

Group’s data protection related policies, procedures and standards to ensure that they reflect

the goals, values, and principles of the Group. The Group would be composed of members of

respective Business Units with responsibility for Data Protection as well as representatives

from various departments such as Human Resource, IT, Legal, Compliance, Marketing etc.

6.6. Business Unit Privacy Team

Each Business Unit, based on the legal requirements of the respective jurisdiction, shall

establish a Privacy Team. The team would focus on establishing and strengthening the

Group’s data protection related policies, procedures and standards to ensure that they reflect

the goals, values, and principles of the Group as well as the Business Unit and the applicable

laws. The team would be composed of members of respective Operational Divisions as well

as representatives from Human Resource, IT, Legal, Compliance, Marketing, Customer Service

etc.

11

GHL-DG005


o To help safeguard the personal information under our control;

o To control access to personal information, limiting access to those who have a need;

o To identify and remediate security risks to personal data;

o To monitor, investigate and contain suspected personal data breaches.

6.7. Information Security

To help safeguard the personal information under our control;

To control access to personal information, limiting access to those who have a need;

To identify and remediate security risks to personal data;

To monitor, investigate and contain suspected personal data breaches.

6.8. Legal and Compliance

To work with the Group DPO to ensure our DPMP is compliant with the law and that we stay

up-to-date on new legal requirements and regulatory guidance;

To assist the Group DPO to respond in a prompt and appropriate manner to our regulators in

respect of matters relating to our handling of personal data; and

To protect our clients’ and team members’ privacy through established contract reviews and

controls wherever appropriate.

6.9. IT Procurement

To collaborate on the review, selection, and monitoring of partners and other organisations

who handle or have access to personal information of our clients or team members;

To ensure that appropriate contractual controls around the privacy and security of data are

in place with such organisations.

6.10. Human Resources

To work with the Group DPO to promote privacy training and awareness for all of our team

members;

To ensure that our people & culture practices reflect our commitments to team member

privacy;

To support the enforcement of our rules and standards put in place to protect client and team

member privacy, providing coaching and discipline where appropriate;

To review team member compliance with ethics, privacy, security and respectful workplace

policies including the review of any breach of obligations under those policies to ensure that

appropriate disciplinary action is taken, up to and including dismissal.

12

GHL-DG005


6.11. Product Development and Management Teams

To ensure, by embracing the principles of Privacy by Design, that our products and services

support our commitment to protect privacy and to be transparent about our personal data

handling practices.

6.12. Group Risk

To identify, manage, monitor and report on privacy related risk at the Group level;

To assist in the identification of privacy-related compliance risk and support

recommendations from our internal audit process.

6.13. Data Steward

Serve as a subject matter expert (SME) for your data domain.

Identify and work with Data Owner and Data Custodians to resolve data issues.

Act as a member of the Data Governance Working Group.

Responsible for establishing requirements and assessing the quality of the data within their

respective Business Unit/Data domain.

Responsible for the creation and management of data standards and business rules within

their respective Business Unit/Data domain.

Perform audits and data quality improvement activities, including taking corrective action to

the data within their respective Business Unit/Data domain.

6.14. All Business Units

To maintain awareness about privacy to ensure that every team member understands that

they have personal responsibility for meeting the Group’s privacy commitments every day in

everything they do;

To appoint data stewards to be advocates for data governance and data management

processes within the business unit to ensure data governance principles and standards are

successfully operationalized.

6.15. All Staff

All Staff (including contingent workers and contractors) have a responsibility to:

o Comply with the Data Protection Policy and policies and procedures.

o Participate in training related to data protection.

13

GHL-DG005


7. ENFORCEMENT

Failure to comply with the Group Data Protection Policies, associated standards and processes

will result in the non-compliance with respect to Data Protection laws under which the Group and

respective Business fall under. Such non-compliance would result in loss of trust by clients,

reputational harm and can adversely impact the financial standing of the Group.

The Group’s Disciplinary Policy would be referenced in cases of violation and/or non-adherence

to this policy and may result in the denial of requests, and impairment of user rights to access

data / system in the first instance.

8. POLICY ADMINISTRATION

The Office of the Chief Data Officer is responsible for the administration, revision, interpretation,

and application of this policy. This policy will be reviewed annually. All changes to this policy will

be passed to the Data Governance Council for approval on the recommendation of the Chief Data

Officer.

The Group may at any time by notice in writing alter all or any of the terms and conditions of the

Policy, such alterations shall have effect from the date specified in such notice. Changes to the

Appendices are considered minor edits under the Groups Policy Framework and thus can be

approved by the Chief Data Officer.

9. OTHER RELATED POLICIES

Group Data Quality Policy

Group Data Retention Policy

Group Data Sharing Policy

Group Data Protection Policy

Group Information Security Governance Policy

Group Information Classification Policy

10. VERSION HISTORY

Version Date Summary Changed By

V1 19th January 2021 Initial Draft Rishi Maharaj

V1.1 01st March 2021 Revised based on comments from Eduard Mouget – Mgr. Enterprise IT Risk & Security

Rishi Maharaj

14

GHL-DG005


11. Appendix A - Guardian Group Data Protection Principles

The Guardian Group shall observe the following principles when processing personal data that are

subject to the Data Protection laws and regulations where we operate:

1. Due Care – We process personal and sensitive personal data with due care, in a fair, lawful and

transparent way.

2. Data Quality

a. Purpose Limitation: We only process personal data to fulfil specific, clear and legitimate

business purposes. We may make specific, clear and legitimate changes to our business

purposes.

b. Data Minimization & Accuracy: If informed to changes in personal data or we make

changes as a part of our processing of personal data, we ensure that:

i. All personal data are up-to-date and that if any personal data are inaccurate,

these are promptly erased or rectified as is appropriate bearing in mind why we

are processing personal data.

ii. Any updates to personal data are reflected across our systems and databases

whether internal or external.

iii. The personal data collected will be adequate and limited to what is necessary for

our business purposes.

c. Storage Limitation We only keep personal data for as long as we need to meet our

business purposes or as required by law.

3. Transparency & Openness – Generally, we collect personal data directly from the client. If we

collect personal data from other sources, it is because this is reasonable and permitted by law.

The information we provide may differ depending on the source of the personal data.

4. Lawfulness of Processing

a. Lawful Basis for Processing Personal Data: We only use personal data if we have a lawful

basis to do so. Where processing is necessary, these reasons include the need to:

i. Create a contract with client or to take steps at the clients request before entering

into a contract

ii. Comply with our legal obligations

iii. Protect vital interests of our clients or those of another individual

iv. Perform a task in the public interest or to exercise an official authority vested in

us, or

v. Undertake actions for our legitimate business interests or the business interests

of a third party, except if these legitimate interests are overridden by the clients’

interests or fundamental rights and freedoms

b. Consent If we process personal data based on consent, we:

15

GHL-DG005


i. Ensure that the wording and format used to collect consent is clear and easy to

understand, and that consent is freely given, specific, informed and clear

ii. Have processes to record the giving and withdrawal of consent and ensure that

one can withdraw their consent easily. We also inform of this withdrawal right

before consent is given

iii. Ensure that if consent is collected as part of a written declaration that also

concerns other matters, such as a contract, the request for consent in the written

declaration is presented in a manner clearly distinguishable from the other

matters.

5. Relationship with Data Processors (for example, service providers working for us) – We only

allow data processors acting on behalf of the Group to collect and process personal data if they

enter into a written agreement with us outlining data privacy & protection requirements. To

ensure the quality of this process, we:

a. Conduct due diligence checks and risk assessments to evaluate data processors to ensure

they meet our security and confidentiality obligations and protect your personal data.

b. Periodically monitor data processors to verify on-going compliance with their data privacy

& protection obligations.

6. Security & Confidentiality – We handle personal data in accordance with the information security

policies and standards of the Group and in accordance with the laws and regulations that apply

to us. We adopt appropriate technical and organisational security safeguards to protect personal

data against risks that may result from improper use, particularly, against the accidental or

unlawful destruction, alteration or loss, as well as unauthorized disclosure of or access to personal

data. The measures depend on factors such as the state of the art, nature and scope of the

processing and level of risk, but may include:

a. Using encryption, anonymization and partial anonymization of personal data, if

appropriate

b. Regularly testing, assessing and evaluation of the effectiveness of security measures for

ensuring the security of the processing

c. Maintaining business continuity and disaster recovery plans and contingencies including

ongoing confidentiality, integrity, availability and resilience over systems and services.

7. Personal Data Loss – We will inform respective stakeholders– based on lawful requirements – if

a personal data loss incident is likely to result in a high level of risk to their rights and freedoms,

including the following specifics:

a. Nature of the personal data loss incident

b. Likely consequences of the personal data loss incident

c. Measures we are taking or plan to take to address the personal data loss incident,

including, if appropriate, measures to mitigate its impact.

16

GHL-DG005


8. Privacy by Design & Default

a. Privacy by Design: We consider the principle of privacy by design when designing or

changing an aspect that impacts upon the processing of personal data (for example,

developing a new product, service or information technology system) to help us:

i. Identify and limit the data protection impacts and risks of processing

ii. Comply with legal obligations affecting the processing

iii. Limit the data we collect or identify different ways that lessen the impact upon

data privacy & protection while meeting the same business goal.

b. Privacy by Default: We use appropriate technical and organisational measures to ensure

that, by default, we only collect and process personal data needed for our business

purposes. We also use this principle to embed data privacy & protection controls into our

processing activities, which means that personal data will not be published or shared by

default.

9. Cooperation with Data Protection Authorities – We will cooperate with data protection

authorities in the jurisdictions in which we operate by:

a. Making the necessary personnel available for liaison with the respective data protection

authorities

b. Complying with their advice on any matter regarding the rules for international transfers.

17

GHL-DG005


12. Appendix B - Guardian Group’s Data Protection Management Program Framework

The primary objective of the Groups DPMP Framework is to provide guidance to our internal privacy

team and DPO in assessing whether our control objectives personal data are achieved. It

additionally can be used as a tool by both our internal and external auditors in auditing compliance.

The Framework is based on the following ‘best practice’ frameworks (See Appendix A for full outline

of the DPMP Framework).

GAPP Principles - issued by the AICPA/CICA;

The NOREA Privacy Control Framework;

The General Data Protection Regulations; and

ISO/IEC 27701:2019

Figure 1: DPMP Framework

MANAGE COLLECT PROCESS ACCESS DISCLOSE SECURE ENFORCE

18

GHL-DG005


13. Appendix C - Guardian Group’s Data Protection Management Program Federated Governance

Model

Group Data Protection

Team

Establish and oversee vision and goals, prioritize targets to align with the organization and sets the strategic direction for the Data Protection Program.

Office of the Chief Data OfficerManagement

Data Protection Officer

Responsible for educating the Group and its employees about compliance, training staff involved in data processing, and conducting regular security audits. Serve as the point of contact between the Group and any Regulator that oversee activities related to Data Protection

BU Data Protection

Teams

Data Governance Council(Governance)

Handles administrative aspects of the Data Protection.

IMPLEMENTAT ION

ESCALATION

The overall sponsor and champion of Data Protection within the Group

The Board of Directors, CEO, Executive Team

Data Protection Teams

Provides assistance to the DPO in monitor and manage data protection compliance. Address specific issues and concerns by providing information, data dependencies for tools, and direct support to the data protection program.

BU DPO s

Figure 2: Group Data Protection Governance Structure

group data protection policy

Documents