Cap Gemini - Registration Document 2016

CAPGEMINI: PEOPLE, CORPORATE SOCIAL RESPONSIBILITY (CSR) AND BUSINESS ETHICS

3.1 Our approach

Integration of former IGATE employees

concerns procedure for requesting advice and raising Raising concern procedure: a dedicated with a question or issue involving ethics or compliance should The Code of Business Ethics provides that an employee faced for dealing with individual grievances are not applicable, the discussing the matter with his/her manager or if other procedures not resolved by the manager, or if the employee is not comfortable discuss the matter first with his/her local manager. If the issue is Group operates, in accordance with applicable legislation. RCP is applied on a case-by-case basis in the countries where the directly from the CECO in Paris. In operation since late 2013, the guidance on appropriate action from the local GC-ECO, or even Procedure (RCP). Employees may in this way seek advice and employee may use the employees’ dedicated Raising Concern

specific E&C e-learning modules described above (Code of Chief Ethics & Compliance Officer in February. Secondly, the three communication and learning activities. employees were incorporated into the regular Group E&C Laws Policy) were assigned to them. Thirdly, former IGATE Business Ethics, Group Anti-Corruption Policy, Group Competition into this Program. Firstly, an updated Code of Business Ethics Program has been on the integration of former IGATE employees During 2016, the main focus for the Group Ethics & Compliance was communicated to all of them by top management and the 30,000 former IGATE employees in 2016, the total percentage of hours of training. Year over year, while integrating more than by former IGATE employees in 2016, representing around 50,000 More than 80,000 E&C e-learning sessions have been completed considerably. While efforts are ongoing, this already represents a completed each of the 3 E&C e-learning modules has increased Group employees (Capgemini + former IGATE) that have significant achievement for the whole organization. personal data protection. competitiveness whilst anticipating new regulations such as November 2014 and is aimed at reinforcing Group (Cybersecurity & Information Protection) Program was launched in clients requirements and issues of data protection. The CySIP transform its IT security approach to better take into account its In July 2014, Capgemini Group Management Board decided to practices), a data privacy strategy and a personal data protection governance) and a CySIP Baseline (minimum and mandatory published 2015 a CySIP Strategy in March (stakes, objectives and Sponsored by the Group General Secretary, the CySIP Program entities before the end of 2017. policy. These rules must be implemented within all Capgemini working together under steering of the the Group CySIP Officer: The CySIP program is composed of three communities that are Security Officers (CISO: focused on internal IT). and sensitive data confidentiality) and the Chief Information Protection Officers (DPO: focused on personal data protection requirements and security of delivery projects), the Data the CySIP Officers in Strategic Business Units (focused on clients’ prepare the annual work plan. By the end of 2016, the corporate The three CySIP communities meet every year during two days to launched for all employees. It includes mandatory e-learning global roll-out plan is sponsored by the Group CEO and has been governance is in place, policies and standards are harmonized. A Cybersecurity and data protection 3.1.5

3

published on the external website of Capgemini and clients now personal data within Capgemini Group globally. have the opportunity to rely on BCRs for the transfer of their being implemented within the organization. The BCR have been have formally adhered to the BCR and the BCR are currently and India will provide new monitoring services of our capacities). The Capgemini Security Operation Centers in Europe Event Management (to reinforce detection and response controls to applications and data) and Security Information and Infrastructures and IT systems. A BYOD (Bring Your Own Device) topics: Identity and Access Management (to reinforce access Since 2015, the CySIP operational projects focus on 3 major of an overall Audit and Control Plan. implementation are performed on an annual basis. They are part CySIP Baseline, data protection practices and operational projects professional purpose. Finally, maturity assessments related to the secure access and data when using personal devices for policy and tool have been defined and implemented in 2016 to The self-assessment is performed in order to verify whether the yearly risk mitigation plan globally and for each entity. The technical audits and penetration tests, enabling the definition of mandatory practices are implemented, and is complemented by European Data Privacy Authorities. All Capgemini Group entities protection authority, the CNIL, on March 2, 2016, on behalf of all controller and data processor – were approved by the French data data protection (BCRs) - covering Group activities acting as data 2016 agenda. Capgemini Binding Corporate Rules on personal Data protection and data privacy were a major priority on the governance and rules are reached by the end of 2017. purpose is to ensure that the objectives of the CySIP Strategy,

modules and other innovative multimedia tools.

107

Registration Document 2016 — Capgemini