GDPR FAQ

Data Protection laws are evolving continuously and Tigerspike is committed to protecting Personal Information through its well established and maintained Privacy Program driven by Data Privacy and Protection Office (DPPO). Keeping in mind the new General Data Protection Regulation (GDPR), Tigerspike has prepared this FAQ to provide a brief description on what steps Tigerspike is taking to comply with the GDPR as a Data Controller and as a Data Processor. This will also provide you an insight into the features you may want to leverage when preparing for your own compliance.

1. What is GDPR?

General Data Protection Regulation. The legislation aims to enhance data privacy protection for European Union (EU) and European Economic Area (EEA) [28 member- countries of EU plus Norway, Liechtenstein, and Iceland] (herein collectively referred to as “EU”) citizens and residents. Here is the regulation: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

2. What is the territorial scope of GDPR? To whom does it apply?

GDPR applies globally to all establishments of a controller or a processor located within the union or outside of the European Union, if they offer goods and services or monitor the behaviour of EU data subjects when in the Union.

3. Where can I find a copy of the GDPR?

4. What is the type of work meant by processing personal data?

Examples of the type of work, including but not limited to: hosting, encrypting, decrypting, examining, modifying, storing, retrieving, destroying, deleting or erasing EU personal data. These activities can be manual, automated or semi-automated.

5. What are examples of EU personal data?

Some examples of personal data, include but are not limited to: EU citizen's email address, phone number, name, work place or any other ID (twitter ID, skype ID, etc.) which can be usually found in everyone's email signature.

6. Will GDPR require any changes in the Tigerspike Service?

Tigerspike has been proactively adopting the changes which GDPR has brought in. Tigerspike has updated its Data Privacy and Protection Program. A special task force – “Concentrix GDPR Core team” has been established at Concentrix, which is working on all the new requirements of GDPR (privacy by design and default, breach notification, data subject rights etc.). The GDPR core team will reach out to you for any specific actions required of you or your team.

7. How does Tigerspike meet the GDPR’s Data Subject Personal Data Access Requests requirement?

Tigerspike has been proactively adopting the changes which GDPR has brought in. Tigerspike has updated its Data Privacy and Protection Program. A special task force – “Concentrix GDPR Core team” has been established at Concentrix, which is working on all the new requirements of GDPR (privacy by design and default, breach notification, data subject rights etc.). The GDPR core team will reach out to you for any specific actions required of you or your team.

8. How will Tigerspike employees be trained in Privacy and Security including the GDPR?

All employees are required to mandatorily take an online training course on information security and data privacy. Tigerspike is also proving specialised sessions on GDPR to all required employees and other stakeholders.

9. How does Tigerspike assist their Clients with their GDPR obligations?

All employees are required to mandatorily take an online training course on information security and data privacy. Tigerspike is also proving specialised sessions on GDPR to all required employees and other stakeholders.

10. How will Tigerspike comply with the GDPR’s personal data breach notification requirements?

Concentrix has an established IT Security, Data Incident and Fraud Management process, which is updated to include GDPR breach notification requirements. Tigerspike will adhere to this.Tigerspike will adhere to mandatory breach notification timelines specified in GDPR. As Data Processor, Tigerspike will notify clients as per contractually agreed terms and will assist their clients in meeting the GDPR requirements.

11. How is Tigerspike addressing the GDPR data processing agreements including transfer requirements?

Concentrix has an established IT Security, Data Incident and Fraud Management process, which is updated to include GDPR breach notification requirements. Tigerspike will adhere to this.Tigerspike will adhere to mandatory breach notification timelines specified in GDPR. As Data Processor, Tigerspike will notify clients as per contractually agreed terms and will assist their clients in meeting the GDPR requirements.

12. What steps will Tigerspike take to comply with the GDPR’s Article 30 requirements to maintain a record of processing activities?

Concentrix own processing activities (including category of information and technical & organizational controls) are documented in the Data Flow Diagrams (DFD). Client and Supplier specific processing activities (including category of information and technical & organizational controls) are documented in the Service Agreements (Master Services Agreement and Data Processing exhibit). Concentrix has developed an Information Security Management System including Privacy program to define the technical and organizational controls for management of information.Concentrix ISMS is based on ISO 27001:2013, ISO 22301:2012, PCI DSS v3.2, HiTrust, FFIEC, Data Protection Acts etc. and is certified for these standards as applicable.

13. What about Data Subjects under the age of 16?

Concentrix own processing activities (including category of information and technical & organizational controls) are documented in the Data Flow Diagrams (DFD). Client and Supplier specific processing activities (including category of information and technical & organizational controls) are documented in the Service Agreements (Master Services Agreement and Data Processing exhibit). Concentrix has developed an Information Security Management System including Privacy program to define the technical and organizational controls for management of information.Concentrix ISMS is based on ISO 27001:2013, ISO 22301:2012, PCI DSS v3.2, HiTrust, FFIEC, Data Protection Acts etc. and is certified for these standards as applicable.

14. How does Tigerspike evaluates the GDPR Compliance requirements?

Tigerspike understands the importance of GDPR in the industry and closely monitors its compliance with the same. Tigerspike also takes into consideration any Member State Law which may be applicable to Tigerspike.

15. Does the GDPR require EU data to stay in the EU?

Tigerspike understands the importance of GDPR in the industry and closely monitors its compliance with the same. Tigerspike also takes into consideration any Member State Law which may be applicable to Tigerspike.

16. What does GDPR mean by “data protection by design and by default”?

Data protection by design and by default means, the Data Controller both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles. It is ensured that only personal data which is required, is collected, and only personal data which are necessary for each specific purpose of the processing are processed.

FAQs for Tigerspike Suppliers:

1. How do I know if GDPR applies to the work my company performs for Tigerspike? Tigerspike will send you a GDPR communication package. If you have any doubt as to whether your company’s services fall under GDPR, contact your Tigerspike representative or via privacy@tigerspike.com  2. Is the GDPR contract a standalone document or an amendment to agreements my company has already signed with Tigerspike? This agreement amends all agreements between Tigerspike and your company in which your company processes EU personal data. It is a standalone document so our companies can easily access GDPR obligations for different engagements. 3. Is there any follow-on activity after the contract is put in place? Yes. GDPR compliance has several components. Your company will have to take several steps to ensure GDPR compliance, including but not limited to complying with technical and operational measures to protect EU personal data, monitoring your company’s compliance and ensuring GDPR compliance for your sub processors. You are obligated to perform these actions to remain compliant with GDPR and obligations under the DPA. Tigerspike will contact you regarding additional Tigerspike Supplier GDPR requirements.