GDPR: How is Ugam ensuring compliance

On 25 May 2018, the most significant piece of European Union’s data protection legislation General Data Protection Regulation (GDPR) came into force. GDPR is designed to protect the personal data of individuals and facilitate the exchange of information for businesses that operate in the European Union.

A global leader in data and analytics, Ugam has taken proactive measures to ensure the safeguarding and protection of the personal data of its customers, respondents and employees. Ugam is primarily a Data Processor in the context of GDPR.

4 Following is an overview of various steps we have been taking towards GDPR compliance at Ugam:

Governance Framework
We have established the Data Protection Governance Framework in the organization to cover privacy compliance.

Data Privacy Team
Dedicated team established to implement GDPR and Data Privacy controls in the organization. The information security team and this dedicated team have been trained on GDPR compliance requirements.

The Data Privacy Policy has been approved by the senior management and published on the intranet portal and made available to all the employees of the organization. Similarly, we have also updated our privacy policy on our website in accordance with GDPR.

Training and Awareness
A Data Privacy awareness program has been developed. The key stakeholders i.e. Senior Management, Legal, IT, Business Operations have been trained about privacy and the importance of GDPR. We have rolled out dedicated GDPR training for all our employees across all locations.

Privacy Impact Assessment (PIA)
We have mapped client specific data flow and performed client specific PIA.

Data Breach Incident Management
Information Security Incident Management covers the process for notification of Data Breach incidents to the data collector within 72 hours.

Technical Security Controls
Ugam is certified for ISO 27001:2013 for its delivery centers in India. However, below are the primary controls with regards to Data Protection
  • Segregation of Data - Separate file folder structure being created for each client, which ensures segregation of data. Personal data is maintained in segregated logical access restricted folders.
  • Access Control
    • Access to the information is tightly controlled and granted to only those users who have a business need to perform function necessary to deliver the service, post approval from Manager. 
    • Accesses are reconciled/ reviewed periodically to ensure authorized access. 
    • User activity logging is enabled on critical systems.
  • Data Transfer and Encryption - Personal data is secured using encryption technologies for exchange viz. using https, SFTP. We have applied encryption at rest on File shares wherever required. We make use of Industry standard encryption for protecting our critical systems.
  • Data Retention and Disposal - Personal data is retained for a specific period or until the purpose is fulfilled and is disposed securely with industry accepted practices.
Vendor Privacy Compliance
Ugam Vendor Information Security Assessment (U-VISA) Process has been established to cover Privacy compliance as well. Agreements are being updated to cover the Data Privacy aspects as well.

For more information, contact: