Lucille Bonenfant

Lucille Bonenfant

Vice-President and Chief Privacy Officer

Rapid change is the “new normal” for today’s commercial and government organizations. This requires executives to embrace highly resilient and agile practices to lead their organizations, while adhering to core principles, such as respecting privacy, safeguarding data, ensuring transparency and fostering trust.

On this year’s Data Privacy Day (also known in Europe as Data Protection Day), I reflect on the fundamental “privacy by design” principles required to embed data privacy and protection into daily operations. This is particularly critical as organizations embrace new technologies, including the growing use of artificial intelligence, including GenAI, and search for the right balance between data protection and innovation.

Embedding privacy protection accelerates organizations’ digital transformation

Each year, to get a pulse on our clients’ priorities and investment plans, we engage in CGI Voice of Our Clients (VOC) research across numerous topics. In the areas of data privacy and protection practices along with data strategy, we observed the following trends based on more than 1,800 in-depth VOC executive interviews in 2024:

  • Clients’ top improvement areas in the next three years are data management and governance and data quality.
  • Their top innovation investment priority is AI.
  • Those categorized as digital leaders are more advanced in producing expected results from their data privacy and protection strategies (73% compared to the 28% who are building or launching their digital strategies).

Additional findings show that digital leaders are more proactive in embedding privacy protection into their activities. For example, digital leaders more often have a holistic data strategy for their enterprise and ecosystem (68% compared to 15% who are building or launching digital strategies).

It’s clear that digital leaders incorporate privacy protection at the earliest stages of the design and development of new products and services, not only to comply with regulatory obligations, but also to gain a competitive advantage by positioning themselves as leaders in data protection and privacy-friendly innovation. This is especially important for their customers and citizens as GenAI brings about a paradigm shift from automation to creation. (Visit our AI blog series to read more insights and recommendations on this topic.)

Adhering to privacy fundamentals throughout the year

person working on a desktop computer

While Data Privacy Day is a great opportunity to reinforce data protection best practices, privacy by design needs to be practiced 24/7 throughout the year.

What is privacy by design? Based on seven principles detailed in the General Data Protection Regulation (GDPR), privacy by design is a data-oriented and people-centric approach that embeds privacy defenses and safeguards for individual rights into the design of an organization’s business practices, processes and systems. Rather than treating privacy requirements as a “bolt-on feature,” data privacy and protection are built in at the earliest stage of solution design.

As the saying goes, “prevention is better than a cure.” Taking this proactive approach enables organizations to avoid the unintended and costly consequences of having to retrofit privacy measures further down the life cycle of a process or system.

Privacy by design also is instrumental for industry executives as they seek, based on our VOC findings, a dual agenda of innovation and efficiency. (Read our press release: C-suite agenda seeks growth and innovation in balance with cost control and efficiency.) Achieving this dual agenda requires embedding privacy and data protection best practices within an organization and across its ecosystem—something digital leaders across industries are doing.

Keeping AI in mind when embracing privacy by design

engineer working on a laptop

In embedding data privacy and protection best practices across the enterprise, it’s important to keep the unique attributes and requirements of AI in mind. At CGI, we embrace responsible AI principles and AI governance for both ourselves and our clients. This ensures successful development, deployment and use of AI systems, including effective privacy protection, as the AI regulatory landscape continues to evolve, including regulations such as the EU AI Act, which entered into force on August 1, 2024 with a gradual application over time, and many other legislative initiatives underway around the world.

Committed to complying with evolving regulatory requirements, we also actively engage in AI governance initiatives and discussions with regulatory authorities. For example, we are a signatory of Canada’s Voluntary Code of Conduct for Artificial Intelligence, as well as the EU AI Act Pledge as part of our wider strategic engagement with the European Commission's AI Pact.

Creating a privacy “baseline” in your organization

Since the release of GDPR, we have used its requirements as our global privacy program’s baseline. This helps CGI adapt rapidly to the evolving and expanding data-related regulatory landscape, including AI regulations. CGI’s global privacy program and our risk and compliance management processes better position us for meeting the regulatory requirements imposed by the EU AI Act, as well as other AI-related regulations expected to emerge over the coming months and years across our global operations.

As our clients and all organizations reflect on their privacy baseline this Data Privacy Day, here are some fundamental practices we follow to protect individuals’ rights and provide responsible and trustworthy use of data in daily operations.

  • We created and maintain responsible use of data and AI frameworks to support our CGI Partners in embracing emerging technologies, while responsibly handling data and integrating best practices into our own environments and our clients’ ecosystems.
  • Through a data privacy review process applicable to any client opportunity and CGI internal solution involving personal data, we assess at the earliest stage, privacy risks associated with the development and use of technologies. This enables us to anticipate data processing restrictions, properly protect data, and mitigate data risks for CGI, our clients, and the individuals whose data will be processed by the planned solution.
  • Our data processing inventory is a core element of our privacy program and helps us meet our legal obligations, as well as map all our data processing activities across our operations through a central and unique register.
  • Our data handling practices are transparent and accessible through the privacy section of our public-facing web site.
  • We developed and maintain a privacy by design code of practices to assist CGI Partners (in particular those who develop IP business solutions for clients) to proactively embed privacy and data protection at the earliest stage of the design and development life cycle process.
  • Through ongoing training, including an annual mandatory course and numerous year-round learning sessions, we remain vigilant about privacy awareness and continually educate our CGI Partners, freelancers and subcontractors on the importance of making data protection an everyday priority. In addition, we have a global team of privacy experts who support CGI Partners in fostering data protection and individual rights for the benefit of our three stakeholders.

Happy Data Privacy Day!

Privacy by design not only protects the information of your stakeholders, but it also increases their trust and satisfaction. At CGI, we use Data Privacy Day to raise awareness and celebrate the strides we’ve made to foster best practices. It also serves as a reminder of our commitment to stay vigilant and continuously improve privacy protection in all we do for ourselves and our clients.

As you work to implement privacy by design standards in your growing use of AI and any other technology investment, contact us if you have any questions.

colleagues celebrating with confetti

About this author

Lucille Bonenfant

Lucille Bonenfant

Vice-President and Chief Privacy Officer

In May 2021, Lucille Bonenfant was appointed CGI’s Chief Privacy Officer, overseeing the company’s global data protection strategy, enterprise-wide data protection policies and procedures, and data protection regulatory compliance. A prominent lawyer with more than 15 years’ experience in business and contract law, including ...