A Project by Meridian Bridge Strategy
Book Consultation
IT Services

Infosys

Ready Score 61/100
Moderate Risk vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Infosys scores 61/100 due to mature global privacy practices built for GDPR/CCPA. However, as India's second-largest employer in tech with 230K+ employees, its DPDP obligations extend to employee data processing — a dimension its global policy doesn't specifically address.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — GDPR-aligned global policy
  • Employee data processing (230K+ employees) not separately addressed for DPDP
  • Client data processing as a processor — DPDP fiduciary/processor distinction unclear
  • Data Protection Board not referenced
  • DPDP Section 14 nomination absent

✅ Strengths

  • Mature global privacy program — GDPR, CCPA compliant
  • ISO 27001, SOC 2, and industry certifications
  • Data protection officer designated
  • Clear data processing agreements with clients
  • Privacy impact assessments conducted
  • Regular privacy audits and training

Overview

Infosys processes data in two capacities: as a data fiduciary (employee data, visitor data, recruitment data) and as a processor (processing client data on behalf of enterprise customers). DPDP affects both roles differently, and Infosys’ global privacy framework needs India-specific layering.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

For 230K+ employees: employment data processing consent is largely covered by employment agreements. But DPDP requires:

  • Separate consent for employee monitoring (email, internet, workspace cameras)
  • Health data consent (wellness programs, insurance, COVID tracking)
  • Background check data consent with specific retention

Section 8 — Obligations of Data Fiduciary ✅

Enterprise-grade security across all dimensions. One of the strongest security postures in Indian industry.

Section 9 — Data Retention ⚠️

Employee data retention partially defined by labor laws. But:

  • Employee performance review data — how long after exit?
  • Internal communication data (email, chat) — retention?
  • Workspace surveillance footage — retention?

Client Data Processing ⚠️

As a processor for global clients, Infosys must navigate:

  • Indian employee access to client personal data
  • DPDP obligations when Indian employees process foreign personal data
  • Client contractual requirements vs. DPDP requirements

Risk Assessment

CategoryRisk LevelPotential Impact
Employee data complianceMedium230K+ employees under DPDP
Client data processingMediumProcessor obligations under DPDP
Global-India policy gapMediumNeed India-specific DPDP layer
SecurityLowWorld-class infrastructure

Recommendations

  1. Create India-specific DPDP policy — Layer on top of global privacy program
  2. Address employee data comprehensively — Consent, retention, and rights for 230K+ employees
  3. Implement DPB escalation alongside global privacy complaint channels
  4. Add Section 14 nomination for employee data
  5. Clarify processor obligations under DPDP for client data processing

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation