Summary
Overview
Work History
Education
Skills
Certification
Websites
Accomplishments
Timeline
Generic
Nikhil Sugnani

Nikhil Sugnani

Mumbai

Summary

A versatile and proven executive with over 18 years of extensive experience building global data protection programs and expertise in operationalizing privacy, global compliance strategy, and governance framework. In my current role, I spearhead Virtusa’s data protection and privacy initiatives, ensuring compliance with global data protection regulations, as well as providing guidance and advice on data protection matters in North America, Mexico, UK, EU, and Asia. Successfully steered the mission to educate and enhance the ‘privacy’ culture within the large organizations.

Overview

19
19
years of professional experience
1
1
Certification

Work History

<ul><li>I lead the global data protection office for the Company and set the strategy around the appropriate use of personal data. Building a strong privacy posture in both the first and second lines of defense to ensure that privacy risks are mitigated and supporting business in remaining compliant.</li><li>Facilitate compliance with a complex and evolving privacy regulatory requirements arising from the collection, use, sharing, storage, and international data transfer and securing ISO27701 and TRUSTe Privacy Certification for the Company.</li><li>Monitor Data Processing Addendum obligations, spearhead responses and negotiations of complex contracts on data protection and privacy related clauses.</li><li>Revitalized the Privacy Policies, Procedures and Privacy Notice, streamlining and simplifying the language to accurately reflect the business requirements for data processing and Company’s Practices.</li><li>Meet compliance obligations and mitigate exposures arising from the use of new technologies (including cloud-based technologies, predictive analytics, social marketing, and Generative AI) and effectively manage vendor risk.</li><li>Leading Company’s global privacy program and ensure that privacy is embedded into the business' personal data collection, storage, use and sharing practices through integration at the ideation stage. Effectively balance risk management and the interests of the business while building programs, policies, procedures, and governance.</li><li>Working closely with key stakeholders like Chief Risk Officer, the General Counsel’s Office, Chief Information Security Office, the Global Marketing and Communication Team, Global Procurement Team, and other leaders to operate the privacy program and enable the business while mitigating risk.</li><li>Implemented robust privacy controls and monitor compliances that includes conducting Data Protection Impact Assessments, Privacy review for internal systems, processes, portals, and performing Transfer Impact Assessments.</li></ul>

Virtusa
Mumbai
09.2021 - Current
  • I lead the global data protection office for the Company and set the strategy around the appropriate use of personal data. Building a strong privacy posture in both the first and second lines of defence to ensure that privacy risks are mitigated and supporting business in remaining compliant.
  • Facilitate compliance with a complex and evolving privacy regulatory requirements arising from the collection, use, sharing, storage, and international data transfer and securing ISO27701 and TRUSTe Privacy Certification for the Company.
  • Monitor Data Processing Addendum obligations, spearhead responses and negotiations of complex contracts on data protection and privacy related clauses.
  • Revitalized the Privacy Policies, Procedures and Privacy Notice, streamlining and simplifying the language to accurately reflect the business requirements for data processing and Company’s Practices.
  • Meet compliance obligations and mitigate exposures arising from the use of new technologies (including cloud-based technologies, predictive analytics, social marketing, and Generative AI) and effectively manage vendor risk.
  • Leading Company’s global privacy program and ensure that privacy is embedded into the business' personal data collection, storage, use and sharing practices through integration at the ideation stage. Effectively balance risk management and the interests of the business while building programs, policies, procedures, and governance.
  • Working closely with key stakeholders like Chief Risk Officer, the General Counsel’s Office, Chief Information Security Office, the Global Marketing and Communication Team, Global Procurement Team, and other leaders to operate the privacy program and enable the business while mitigating risk.
  • Implemented robust privacy controls and monitor compliances that includes conducting Data Protection Impact Assessments, Privacy review for internal systems, processes, portals, and performing Transfer Impact Assessments.

<ul><li>A member of KPMG’s India digital risk consulting practice, specialised in data privacy & cyber security advisory services, assisted organizations across several industries: financial Services, manufacturing, healthcare, and telecommunications sectors.</li><li>Assisted organizations to address the legal and regulatory challenges across multiple privacy regimes.</li><li>Building and developing relevant compliance toolkits to meet the complexity of personal data landscape.</li><li>Led multiple engagements in assessing organization’s compliance to EU privacy regulation GDPR and assisted in developing strategy and governance framework for data protection and privacy.</li><li>Advised clients on technical aspects on data protection and privacy governance management</li><li>Developed privacy technology solution (assessment automation) to achieve efficiency and optimizing</li><li>Developed tailor-made solutions and methodology to meet client’s regulatory requirement.</li></ul>

KPMG
Mumbai
11.2019 - 09.2021
  • A member of KPMG’s India digital risk consulting practice, specialised in data privacy & cyber security advisory services, assisted organizations across several industries: financial Services, manufacturing, healthcare, and telecommunications sectors.
  • Assisted organizations to address the legal and regulatory challenges across multiple privacy regimes.
  • Building and developing relevant compliance toolkits to meet the complexity of personal data landscape.
  • Led multiple engagements in assessing organization’s compliance to EU privacy regulation GDPR and assisted in developing strategy and governance framework for data protection and privacy.
  • Advised clients on technical aspects on data protection and privacy governance management
  • Developed privacy technology solution (assessment automation) to achieve efficiency and optimizing
  • Developed tailor-made solutions and methodology to meet client’s regulatory requirement.

<ul><li>Managed the enterprise data privacy and protection program supporting 20+ offices across PAN India. Advised senior leadership on all aspects of data privacy and protection regulations. Led team of senior information security and privacy professionals. Spearheaded the BS10012 and DSCI Privacy Framework certification program</li><li>Developed strategies to address maturing data privacy & protection landscape.</li><li>Ensure compliance with all legal and regulations, including DoT – licensing security requirements, ITAA 2008 section 43a, BS10012, DSCI Privacy Framework and Data Security Standards.</li><li>EU regulation GDPR implementation for Vodafone India and Led GDPR Compliance Steering Committee.</li><li>Led mission critical data security deployments, including Mobile Application Management (MDM), data anonymization, Data Classification, Data Loss Prevention (DLP), data encryption technologies.</li><li>Implemented Privacy by Design program to ensure all new solution and enhancements are being assessed for Privacy risk at the design and development phase.</li><li>Advised and support Legal function on the contractual reviews related to Data protection and processing clauses.</li><li>Designed and implemented information security and data privacy awareness and trainings program</li></ul>

Vodafone Idea Limited
Mumbai
05.2016 - 10.2019
  • Managed the enterprise data privacy and protection program supporting 20+ offices across PAN India. Advised senior leadership on all aspects of data privacy and protection regulations. Led team of senior information security and privacy professionals. Spearheaded the BS10012 and DSCI Privacy Framework certification program
  • Developed strategies to address maturing data privacy & protection landscape.
  • Ensure compliance with all legal and regulations, including DoT – licensing security requirements, ITAA 2008 section 43a, BS10012, DSCI Privacy Framework and Data Security Standards.
  • EU regulation GDPR implementation for Vodafone India and Led GDPR Compliance Steering Committee.
  • Led mission critical data security deployments, including Mobile Application Management (MDM), data anonymization, Data Classification, Data Loss Prevention (DLP), data encryption technologies.
  • Implemented Privacy by Design program to ensure all new solution and enhancements are being assessed for Privacy risk at the design and development phase.
  • Advised and support Legal function on the contractual reviews related to Data protection and processing clauses.
  • Designed and implemented information security and data privacy awareness and trainings program

<ul><li>Spearheaded multiple portfolios in Information Security risk, governance and established a privacy organization for larger generic pharmaceutical supporting 30 locations. Advised senior executive leadership and stakeholders across business functions on all aspects of information security and privacy compliance posture and strategy.</li><li>Designed, implemented, and led information risk management framework. Established the technical risk board which comprises of risk management steering committee members responsible for risk management lifecycle.</li><li>Engaged with global chief legal officer on enterprise-wide privacy assessment program for identification of data subjects across business functions and 18 geographic locations.</li><li>Successfully established and implemented cyber security operation centre (SOC) by centralizing existing security solutions (anti-malware, patch management, incident response team (IRT)</li></ul>

CIPLA Limited
Mumbai
06.2013 - 05.2016
  • Spearheaded multiple portfolios in Information Security risk, governance and established a privacy organization for larger generic pharmaceutical supporting 30 locations. Advised senior executive leadership and stakeholders across business functions on all aspects of information security and privacy compliance posture and strategy.
  • Designed, implemented, and led information risk management framework. Established the technical risk board which comprises of risk management steering committee members responsible for risk management lifecycle.
  • Engaged with global chief legal officer on enterprise-wide privacy assessment program for identification of data subjects across business functions and 18 geographic locations.
  • Successfully established and implemented cyber security operation centre (SOC) by centralizing existing security solutions (anti-malware, patch management, incident response team (IRT)

<ul><li>Managed multiple clients’ projects with varying size & complexity, right from conceptualization stage to execution which involved engagement planning, managing budgets and resource planning throughout the engagement lifecycle. Experienced in managing global mandates, projects on client engagements.</li><li>Led internal and IT general controls audits, SOC2 review for Outsourcing and ITES organizations and Manufacturing industries. Handled Vendor Risk Assessment of Information Security controls review at multiple locations in India for one of the largest ITES organization.</li><li>Performed US Regulatory and Compliance review covering Healthcare Insurance Probability and Accountability Act (HIPPA), Gramm Leach Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA) and Privacy Act for large business process outsourcing company having presence in North America.</li></ul>

Ernst & Young LLP
Mumbai
12.2007 - 04.2013
  • Managed multiple clients’ projects with varying size & complexity, right from conceptualization stage to execution which involved engagement planning, managing budgets and resource planning throughout the engagement lifecycle. Experienced in managing global mandates, projects on client engagements.
  • Led internal and IT general controls audits, SOC2 review for Outsourcing and ITES organizations and Manufacturing industries. Handled Vendor Risk Assessment of Information Security controls review at multiple locations in India for one of the largest ITES organization.
  • Performed US Regulatory and Compliance review covering Healthcare Insurance Probability and Accountability Act (HIPPA), Gramm Leach Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA) and Privacy Act for large business process outsourcing company having presence in North America.

<ul><li>Advised clients and handled client engagements in the areas of information security, third party risk management, business process reviews, risk and compliance reviews and IT internal audits for leading financial service industries.</li></ul>

Moores Rowland Consulting (Haribhakti & Co.)
Mumbai
08.2006 - 11.2007
  • Advised clients and handled client engagements in the areas of information security, third party risk management, business process reviews, risk and compliance reviews and IT internal audits for leading financial service industries.

Education

Master of Business Administration (MBA) - Systems

Mumbai, India
Mumbai, India
01.2006

Bachelor of Science - Information Technology (IT)

Mumbai, India
Mumbai, India
01.2004

Skills

  • Enterprise data security architecture (ISO27701, ISO27001, HIPPA, NIST RMF)
  • TRUSTe Enterprise Privacy Certification
  • Enterprise data security architecture (ISO27701, ISO27001, HIPPA, NIST RMF)
  • TRUSTe Enterprise Privacy Certification

Certification

  • AI Applications for Growth, Kellogg School of Management, 2024
  • Certified Data Privacy Solutions Engineer (CDPSE), Information Systems Audit and Control Association (ISACA), 2020
  • Certified Blockchain Expert (CBE), Blockchain Council, 2020
  • Diploma in Cyber Law (DCL), Asian School of Cyber Laws, Mumbai, 2019
  • DSCI Certified Privacy Professional (DCPP), Data Security Council of India (DSCI), 2018
  • Certified Information Security Auditor (CISA), Information Systems Audit and Control Association (ISACA), 2014

Accomplishments

  • Awarded DSCI Excellence Award for ‘Best Privacy Practice in User Industry’.
  • Hosted DSCI Privacy Chapter meetings on recognizing the ‘Data Privacy Day’ and conducted an awareness session on ‘Data Privacy – A boardroom discussion’
  • Awarded the Certificate of Excellence for portraying Outstanding Performance & Creativity in executing ‘IT & Business Risk Assessment’ engagement for one of larger Media and Entertainment Company in India.

Timeline

<ul><li>I lead the global data protection office for the Company and set the strategy around the appropriate use of personal data. Building a strong privacy posture in both the first and second lines of defense to ensure that privacy risks are mitigated and supporting business in remaining compliant.</li><li>Facilitate compliance with a complex and evolving privacy regulatory requirements arising from the collection, use, sharing, storage, and international data transfer and securing ISO27701 and TRUSTe Privacy Certification for the Company.</li><li>Monitor Data Processing Addendum obligations, spearhead responses and negotiations of complex contracts on data protection and privacy related clauses.</li><li>Revitalized the Privacy Policies, Procedures and Privacy Notice, streamlining and simplifying the language to accurately reflect the business requirements for data processing and Company’s Practices.</li><li>Meet compliance obligations and mitigate exposures arising from the use of new technologies (including cloud-based technologies, predictive analytics, social marketing, and Generative AI) and effectively manage vendor risk.</li><li>Leading Company’s global privacy program and ensure that privacy is embedded into the business' personal data collection, storage, use and sharing practices through integration at the ideation stage. Effectively balance risk management and the interests of the business while building programs, policies, procedures, and governance.</li><li>Working closely with key stakeholders like Chief Risk Officer, the General Counsel’s Office, Chief Information Security Office, the Global Marketing and Communication Team, Global Procurement Team, and other leaders to operate the privacy program and enable the business while mitigating risk.</li><li>Implemented robust privacy controls and monitor compliances that includes conducting Data Protection Impact Assessments, Privacy review for internal systems, processes, portals, and performing Transfer Impact Assessments.</li></ul>

Virtusa
09.2021 - Current

<ul><li>A member of KPMG’s India digital risk consulting practice, specialised in data privacy & cyber security advisory services, assisted organizations across several industries: financial Services, manufacturing, healthcare, and telecommunications sectors.</li><li>Assisted organizations to address the legal and regulatory challenges across multiple privacy regimes.</li><li>Building and developing relevant compliance toolkits to meet the complexity of personal data landscape.</li><li>Led multiple engagements in assessing organization’s compliance to EU privacy regulation GDPR and assisted in developing strategy and governance framework for data protection and privacy.</li><li>Advised clients on technical aspects on data protection and privacy governance management</li><li>Developed privacy technology solution (assessment automation) to achieve efficiency and optimizing</li><li>Developed tailor-made solutions and methodology to meet client’s regulatory requirement.</li></ul>

KPMG
11.2019 - 09.2021

<ul><li>Managed the enterprise data privacy and protection program supporting 20+ offices across PAN India. Advised senior leadership on all aspects of data privacy and protection regulations. Led team of senior information security and privacy professionals. Spearheaded the BS10012 and DSCI Privacy Framework certification program</li><li>Developed strategies to address maturing data privacy & protection landscape.</li><li>Ensure compliance with all legal and regulations, including DoT – licensing security requirements, ITAA 2008 section 43a, BS10012, DSCI Privacy Framework and Data Security Standards.</li><li>EU regulation GDPR implementation for Vodafone India and Led GDPR Compliance Steering Committee.</li><li>Led mission critical data security deployments, including Mobile Application Management (MDM), data anonymization, Data Classification, Data Loss Prevention (DLP), data encryption technologies.</li><li>Implemented Privacy by Design program to ensure all new solution and enhancements are being assessed for Privacy risk at the design and development phase.</li><li>Advised and support Legal function on the contractual reviews related to Data protection and processing clauses.</li><li>Designed and implemented information security and data privacy awareness and trainings program</li></ul>

Vodafone Idea Limited
05.2016 - 10.2019

<ul><li>Spearheaded multiple portfolios in Information Security risk, governance and established a privacy organization for larger generic pharmaceutical supporting 30 locations. Advised senior executive leadership and stakeholders across business functions on all aspects of information security and privacy compliance posture and strategy.</li><li>Designed, implemented, and led information risk management framework. Established the technical risk board which comprises of risk management steering committee members responsible for risk management lifecycle.</li><li>Engaged with global chief legal officer on enterprise-wide privacy assessment program for identification of data subjects across business functions and 18 geographic locations.</li><li>Successfully established and implemented cyber security operation centre (SOC) by centralizing existing security solutions (anti-malware, patch management, incident response team (IRT)</li></ul>

CIPLA Limited
06.2013 - 05.2016

<ul><li>Managed multiple clients’ projects with varying size & complexity, right from conceptualization stage to execution which involved engagement planning, managing budgets and resource planning throughout the engagement lifecycle. Experienced in managing global mandates, projects on client engagements.</li><li>Led internal and IT general controls audits, SOC2 review for Outsourcing and ITES organizations and Manufacturing industries. Handled Vendor Risk Assessment of Information Security controls review at multiple locations in India for one of the largest ITES organization.</li><li>Performed US Regulatory and Compliance review covering Healthcare Insurance Probability and Accountability Act (HIPPA), Gramm Leach Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA) and Privacy Act for large business process outsourcing company having presence in North America.</li></ul>

Ernst & Young LLP
12.2007 - 04.2013

<ul><li>Advised clients and handled client engagements in the areas of information security, third party risk management, business process reviews, risk and compliance reviews and IT internal audits for leading financial service industries.</li></ul>

Moores Rowland Consulting (Haribhakti & Co.)
08.2006 - 11.2007

Master of Business Administration (MBA) - Systems

Mumbai, India

Bachelor of Science - Information Technology (IT)

Mumbai, India

Similar Profiles

CREATE PROFILE
Nikhil Sugnani