GBS Insider ClubField Guide Free
Tech Governance June 2026

Pillar 3 · Cluster 4

Technology governance for GBS operations

Cloud fundamentals, data privacy regulations, and security architecture are not IT-only concerns. Every GBS professional handling personal data, accessing cloud applications, or building automations needs to understand the governance boundaries.

$4.2B+Total GDPR fines issued since 2018
94%Enterprises using cloud services in 2026
Zero TrustThe security model replacing perimeter defense
Cloud SaaS / IaaS / PaaS Infrastructure models Security Zero Trust Distributed protection Privacy GDPR / PII Non-negotiable rules
Technology Governance Pillars

Topic 01 · Cloud Computing

Cloud models — SaaS, IaaS, PaaS decoded

TL;DR

SaaS, PaaS, IaaS split responsibility differently. The model decides who owns security, data, and uptime. The model is in THE FIX.

"It is in the cloud"
answers nothing.

2 min read · full theory in the expandable
The Problem
R
Ravi
AP analyst · Month 8 · Pune

An outage. Ravi asks IT when their tool is back.

"That is SaaS — the vendor owns the stack. We wait like you."
Last month a different tool failed and IT fixed it in an hour. That one ran on IaaS.

"Same cloud, different owners."

He feels informed at last.

The Trap

You treat the cloud as one thing. The model decides who fixes what — and how fast.

The Fix

Three models, three responsibility splits.

SaaSVendor runs everything. You configure and use. ServiceNow, Workday.
PaaSYou build on their platform. Their infrastructure, your applications.
IaaSTheir hardware, your stack. Maximum control, maximum responsibility.

Next outage, Ravi knows who owns the clock before he asks.

Cloud models in depth — SaaS, PaaS, IaaS decodedTHEORY · 3 MIN

You use cloud services every day. Understanding the differences between SaaS, IaaS, and PaaS changes how you think about data residency, security responsibility, and vendor dependency.

IaaS Infrastructure as a Service You manage: OS, apps, data Provider: servers, storage AWS EC2, Azure VMs MAX CONTROL PaaS Platform as a Service You manage: apps, data Provider: runtime, OS, infra Heroku, Google App Engine BALANCED SaaS Software as a Service You manage: configuration Provider: everything else ServiceNow, Workday, SAP MAX CONVENIENCE YOUR CONTROL ← → PROVIDER CONTROL
Cloud Service Models — IaaS / PaaS / SaaS

Cloud computing is not one thing — it is a spectrum of services with different levels of abstraction, control, and shared responsibility.

  • For GBS professionals, the practical question is always: where does our responsibility end and the provider's begin?
  • That boundary shifts depending on the cloud model — SaaS, PaaS, or IaaS each draw the line differently.
1

SaaS — Software as a Service

The application runs entirely in the cloud. You use it through a browser. The vendor manages everything — infrastructure, platform, application code, updates, and security patches. Examples: ServiceNow, Workday, Salesforce, Microsoft 365. GBS implication: fast deployment, limited customization, vendor controls data processing.

2

PaaS — Platform as a Service

The vendor provides the development and runtime environment. You build and deploy your own applications on top. Examples: Microsoft Azure App Service, Google App Engine, SAP BTP. GBS implication: used by IT teams building custom integrations, automation workflows, or analytics dashboards.

3

IaaS — Infrastructure as a Service

The vendor provides virtual machines, storage, and networking. You manage everything above the hardware — operating systems, middleware, applications, and data. Examples: AWS EC2, Azure Virtual Machines, Google Compute Engine. GBS implication: rarely touched directly by GBS operations teams, but your ERP and data warehouses may run here.

The shared responsibility model — what GBS owns
  • Data classification — knowing which data is sensitive, personal, or regulated regardless of where it is stored
  • Access management — ensuring the right people have the right access levels and removing access when roles change
  • Data residency awareness — understanding where cloud data is physically stored and whether it crosses borders
  • Vendor risk assessment — evaluating cloud vendors for security certifications, SLA commitments, and data processing agreements
  • User behavior — strong passwords, multi-factor authentication, not sharing credentials, recognizing phishing
TECH GOVERNANCE FRAMEWORK CLOUD SERVICESSaaS · PaaS · IaaSShared responsibilityKnow what you own DATA PRIVACYPII handlingGDPR · Data classificationYour responsibility too ZERO TRUSTVerify everythingLeast privilege accessTrust no device by default SECURITY IS EVERYONE'S JOB · NOT JUST IT'S

Technology governance — cloud, security, compliance

Monday Move

Classify your three main tools: SaaS, PaaS, or IaaS. Know who owns the fix.

The cloud holds your tools — and other people’s data.

GBS Technology Governance Framework — cloud service models (SaaS, PaaS, IaaS), data privacy and PII handling, and zero trust security

GBS technology governance: cloud models, data privacy & PII, and zero trust security

Topic 02 · Data Privacy

GDPR and PII handling — the non-negotiable rules

TL;DR

GDPR sets the baseline for personal data: minimization, containment, retention limits, breach duties. Your daily handling is where it lives. The model is in THE FIX.

Personal data in every ticket.
The rules are not optional.

2 min read · full theory in the expandable
The Problem
A
Amara
O2C analyst · Year 1 · Lagos

A colleague exports a customer list to a personal drive — "to work faster over the weekend."

Amara stops her: names, emails, bank details — outside the controlled system.

"It is just a working copy." — "It is a breach waiting for a lost laptop."

She feels protective — of the customer and the colleague.

The Trap

Convenience shortcuts with personal data feel harmless until the day one goes missing.

The Fix

Daily GDPR is three disciplines, not a legal degree.

MINIMIZEOnly the data the task needs. Not the full export because it was easier.
CONTAINControlled systems only. Never personal drives, private email, or chat exports.
REPORTSuspected exposure escalates fast. Reporting duties have clocks on them.

The weekend work happens inside the system. Slower by minutes, safer by miles.

GDPR and PII handling in depthTHEORY · 4 MIN

If you process personal data in GBS, you are bound by data privacy regulations. GDPR is the baseline, but every country you serve may have additional requirements.

GDPR sets the global baseline for personal data. The General Data Protection Regulation is the EU's data privacy framework — but its reach is global.

  • Any organization processing personal data of EU residents must comply, regardless of where the processing happens
  • For GBS centers in India, the Philippines, or Latin America serving European entities, GDPR compliance is not optional
  • Fines for violations have exceeded 4 billion euros since the regulation took effect in 2018

Personally Identifiable Information (PII) includes any data that can directly or indirectly identify a natural person.

  • Examples: names, email addresses, employee IDs, IP addresses, bank account numbers, health records, behavioral data
  • In GBS operations, PII is everywhere: payroll data, employee records, customer correspondence, vendor contact details, and applicant tracking systems

The practical requirement is knowing what PII you handle, where it is stored, who has access, and what legal basis you have for processing it.

GDPR principles every GBS professional must know
  • Lawfulness — you need a legal basis for processing personal data (consent, contract, legitimate interest, legal obligation)
  • Purpose limitation — data collected for one purpose cannot be used for an unrelated purpose without additional consent
  • Data minimization — collect only what you need, nothing more
  • Accuracy — keep personal data correct and up to date; correct errors promptly
  • Storage limitation — do not retain personal data longer than necessary for its stated purpose
  • Integrity and confidentiality — protect personal data against unauthorized access, loss, or destruction
  • Accountability — you must be able to demonstrate compliance, not just claim it
Lawfulness Purpose Limitation Data Minimization Accuracy Storage Limitation Integrity & Confidentiality Accountability
7 GDPR principles — ends with Accountability.
The multi-jurisdiction reality

GDPR is the most referenced regulation, but it is not the only one. Each country you serve has its own framework:

  • Brazil has LGPD.
  • India has DPDP.
  • The Philippines has the Data Privacy Act.
  • China has PIPL.

Each country you serve may have different consent requirements, data localization rules, and breach notification timelines. The practical implication for GBS is that you cannot assume one global privacy policy covers everything. Know the legislation for each country you serve, and work with your Data Protection Officer to map the requirements.

TECHNOLOGY LIFECYCLE EVALUATE IMPLEMENT OPERATE OPTIMIZE RETIRE Business case Go-live BAU + support Continuous improve Sunset EVERY TOOL HAS A SHELF LIFE · PLAN FOR TRANSITION

Technology lifecycle — from evaluation to retirement

Monday Move

Check where copies of personal data live in your workflow. Delete the ones outside controlled systems.

Data protected. Access is the other half.

? REALITY TEST click to expand
  • Do you know the data classification of the information you handle daily — public, internal, confidential, or restricted?
  • How does your team handle PII? Are you confident that your daily practices comply with GDPR or local data privacy requirements?
  • Have you completed your organization's cybersecurity training? Could you spot a phishing email targeted at your specific role?

Topic 03 · Security Architecture

Zero Trust — the security model for distributed operations

TL;DR

Zero Trust assumes no user, device, or bot is safe until verified — every session, every time. Built for distributed GBS. The model is in THE FIX.

Inside the network
no longer means trusted.

2 min read · full theory in the expandable
The Problem
P
Peter
Team lead · Year 2 · Budapest

Peter’s team logs in from three countries. Bots log in at 2 AM. Vendors connect from outside.

The old moat — office network equals safe — protects none of it.
A prompt asks him to re-verify mid-session. Annoying. Then he reads why: unusual location pattern.

"The system doubts everyone equally. Good."

He feels protected rather than policed.

The Trap

You read verification friction as bureaucracy instead of the moat that moved.

The Fix

Zero Trust is three assumptions, applied without exception.

VERIFYEvery user, device, session. Identity is the new perimeter.
LEAST ACCESSOnly what the role needs. Nothing extra, nothing "just in case."
ASSUME BREACHDesign as if attackers are inside. Contain damage by default.

The re-verify prompt stops being an annoyance and becomes what lets a three-country team work at all.

Zero Trust in depthTHEORY · 3 MIN

The old model assumed everything inside the corporate network was safe. Zero Trust assumes nothing is safe until verified. For GBS with remote teams, cloud apps, and automation bots, this is the only model that works.

Zero Trust Architecture operates on a simple principle: never trust, always verify.

  • Every access request is authenticated, authorized, and continuously validated — regardless of whether it comes from inside or outside the corporate network
  • For GBS with teams across multiple countries, cloud access from personal devices, and automation bots touching sensitive systems, perimeter-based security is no longer sufficient
Zero Trust principles for GBS operations
  • Verify explicitly — authenticate and authorize based on all available data points (identity, location, device health, data classification)
  • Least privilege access — grant the minimum access needed for the task, nothing more, for the shortest duration needed
  • Assume breach — design systems assuming the network is already compromised; minimize blast radius of any breach
  • Microsegmentation — isolate workloads so that a breach in one area does not grant access to others
  • Continuous monitoring — do not rely on one-time authentication; validate trust continuously throughout the session
What this means for GBS teams day-to-day
  • Multi-factor authentication on every application — not just email, but ERP, ticketing, and file shares
  • Role-based access controls reviewed quarterly — access should match current role, not historical accumulation
  • Bot accounts (RPA) treated like human accounts — with defined access scope, credential rotation, and activity logging
  • Data Loss Prevention (DLP) policies — preventing sensitive data from being copied to unauthorized locations
  • Endpoint protection — managed devices with encryption, patching, and remote wipe capability
IC
GBS Insider Club Insights
  • The most common GBS security failure is accumulated access — people change roles but keep their old system access. Quarterly access reviews are the minimum.
  • RPA bots need the same security treatment as human users. A bot with admin-level ERP access and no activity monitoring is a compliance risk.
  • Zero Trust is not a product you buy. It is an architecture and a mindset. The technology enables it; the governance enforces it.
Monday Move

Note every verification step you hit tomorrow. Each one replaced a wall that no longer exists.

Pillar 3 complete. The tools are governed — now the humans. Pillar 4: Stakeholders & Communication.

? CAREER CHECK click to expand
  • Data governance and security awareness are increasingly expected at every level. How would you describe your current knowledge?
  • Have you ever flagged a security concern or data handling issue? How was it received, and what changed as a result?
  • Understanding cloud services, data privacy, and zero trust principles will differentiate you as GBS moves deeper into digital transformation.
GBS Insider Club learning paths offer structured career frameworks, practical templates, and guided exercises tailored to your GBS role — from entry-level to leadership.

Reference

Glossary

Full glossary at the GBS Insider Club Field Guide.

SaaSSoftware as a Service — cloud model where the vendor hosts and manages the entire application stack. Users access via browser. Examples: ServiceNow, Workday, Salesforce.
IaaSInfrastructure as a Service — cloud model providing virtualized computing resources (servers, storage, networking). The customer manages everything above the hardware layer.
PaaSPlatform as a Service — cloud model providing a development and deployment platform. The vendor manages infrastructure; the customer builds and deploys applications.
GDPRGeneral Data Protection Regulation — the EU data privacy framework governing how personal data of EU residents is collected, processed, stored, and shared. Applies globally to any entity processing EU resident data.
PIIPersonally Identifiable Information — any data that can directly or indirectly identify a natural person. Includes names, emails, IDs, IP addresses, financial data, and health records.
Zero TrustSecurity architecture that requires every access request to be authenticated and authorized regardless of network location. Principle: never trust, always verify.
DLPData Loss Prevention — security controls that prevent sensitive data from being shared, copied, or transferred to unauthorized locations or recipients.
MFAMulti-Factor Authentication — requiring two or more verification factors (password + phone code + biometric) to access systems. A core Zero Trust requirement.
Sources and further reading
  1. European Data Protection Board — GDPR enforcement statistics and fine tracker, 2024
  2. NIST — Zero Trust Architecture Special Publication 800-207
  3. Gartner — Cloud Security reference architecture, 2025
  4. Microsoft — Zero Trust deployment guide for enterprise, 2025
  5. India MEITY — Digital Personal Data Protection Act, 2023
  6. Brazil ANPD — LGPD compliance guidelines
Theory done. Now make it count.

Knowing the frameworks is the entry ticket. Applying them — visibly, at your actual job — is what gets you promoted.

The GBS Insider Club Career Playbooks turn this theory into a guided 90-day program for your role: self-assessment, practical exercises, templates, and Julian's unfiltered practitioner playbook.

Explore the Career Playbooks → Back to Digital and Technology
Leave a comment
← Previous Automation and AI Next → Core Communication