Information Security Group
|
Knowledge Hub > Data Privacy

Data Privacy and Protection

Data Privacy and Protection ensures the correct use and safeguards Personal and Sensitive Personal data using Technical Controls and Organizational Processes measures, as per global regulations and customer contractual requirements.

This is the one of the most important business requirements, because a privacy breach can lead to unlimited contractual liability, hefty fines, penalties imposed by regulatory authorities and customers, loss of business, damage to Tech Mahindra brand image and reputation, and loss of customer confidence.

The Project Manager and the Data privacy team must collaborate effectively tp execute the data privacy workflow, ensuring strict adherence to mandatory requirements.

Data Privacy Process overview -

Confirm Access to PI/SPI
  • Annual audit planner is prepared.
  • DP team will send mail to project managers to confirm if they have access to PD (PII/SPI) in their projects.
  • Project Manager to provide confirmation to DP Team on having project access to PI SPI data.


Conduct PIA and ROPA

The important Data Privacy activity which needs to be complied by the Delivery Team in the various Clusters in the Organization include PIA (DPIA) and ROPA completion, which are two documents which are audited and assessed to understand the Privacy compliance of every project. Data Privacy team will initiate the Privacy Impact Assessment with those applicable managers who should establish DPIA and ROPA.

As part of PIA and ROPA PM to check below points:

  • PM to ensure MSA or SOW is signed, DPA/ DTA/ SCC if applicable to the Project is also signed. Third party agreement should be signed in case Tech M appointed third party processing PI/ SPI of end user is applicable to the project.
  • PM needs to ensure proper security controls such as DLP, 2FA and data retention is implemented.
  • Copy-paste and download provision should be restricted if not required for the project.
  • Written permissions from client should be taken for any exception required for business.
  • Validate all IT and Data protection controls and ensure that they are complied by project team.

RoPA:

Record of Processing Activities (ROPA) need to be carried out by Project Manager, ROPA is a record of data that is processed by project involving personal data.

AS per the GDPR process each controller and, where applicable, the controller’s representative (processer), shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
  • The purposes of the processing.
  • A description of the categories of data subjects and of the categories of personal data.
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations.
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers the documentation of suitable safeguards.
  • Where possible, the envisaged time limits for erasure of the different categories of data.
  • Where possible, a general description of the technical and organizational security measures.


Monitor Risks till closure

PM to provide evidence to close the open risks in PIA

  • DP team will perform a gap assessment to evaluate the adequacy of controls to safeguard the Personal Data (PII/SPI).
  • DP team will raise Risks along with mitigations in remediation plan.
  • Project managers should take necessary action to close the Risks and provide the evidence for closure of risks.
  • The Data Privacy team will validate the evidence and close the Risks in Privacy Risk Register.
  • PM stores the final PIA ROPA documents for records and audit purposes.


Training and Awareness

PM to provide evidence to close the open risks in PIA

  • Project Managers should ensure that all the associates working in the Project completes mandatory Data Protection training.
  • If the associate does not complete the training within 30 days , NC will be raised by ISG team on that project.


Data Privacy Audits
  • High risk customer groups are identified based on the data privacy compliance status like Completion of PIA, ROPA, Data Privacy Training and Implementation of DLP. The report of the same is shared with ISG Management on a weekly basis.
  • Data Privacy team will conduct Data Privacy audits for the applicable red category projects.
  • Auditor will discuss the findings and recommendations with PM and get concurrence. The final report is prepared and submitted in the system by auditor. Auto mail is triggered to PM with the overview of the Audit conducted. In case if there are any NCs raised during the Audit, PM will be able to view the report in QSPACE - Audit PRISM for details.


Review PIA/ROPA
  • PM responds with No change or discusses the change and updates the documents and completes the half yearly review.
  • Privacy Impact Assessment and Record of Processing Activities will be re-initiated by every change in project/process where additional Personal Data processing is undertaken or bi-annually.


Project Closure
  • Project Manager should ensure that all the documents related to the projects are archived or deleted.
  • Project Manager to Ensure that all the accesses are removed to the associates working on the project.
  • All the documents related to the projects are archived or deleted after the completion of the Project.


  • Should only collect personal data that’s absolutely necessary to deliver their services.
  • Need to ensure Privacy Policy, Cookie Policy and Terms of Use are published with easy access and understandable.
  • Make sure to get proper user consent.
  • Explicit opt-in consent should be taken from the user.
  • Opt-in consent taken in proper legal format (TECHM legal format if TECHM owned website).
  • Opt-out consent facility need to be provided to the user.
  • Opt-out consent taken in proper legal format (TECHM legal format if TECHM owned website).
  • Personal information should be deleted from all the systems after the user opt-out.
  • Secure a user’s personal data from unauthorized access. One way to do that is by implementing two-factor authentication.
  • Need to ensure that Privacy Impact assessment is conducted for the applications.
  • Data retention periods need to be defined and ensure that Unused and unneeded data is removed securely without effecting the integrity of remaining user data.
  • Personal data should be classified and secured accordingly. Technical security assessment of the application to be conducted.
  • Data Processing Agreement need to be signed with all the data processors.
  • In case of any Data Privacy Incident, the incident must be immediately reported to Tech Mahindra Incident Management team. (https://isg.techmahindra.com/IMS/)


  • All associates handling Personal Data related to Tech Mahindra Business operations must ensure processing in adherence to the Data Protection and Privacy Policies.
  • Associates shall use only authorized devices such as desktops, laptops and login credentials to access Tech Mahindra and customer data.
  • Associates shall not access/use/store Personal Data obtained from third party sources for Tech Mahindra Business Operations without the consent of the respective Business/Function Head and Information Security Group (ISG)
  • Business/Function Head shall consult Information Security Group (“ISG”), before processing/accessing any Personal Data.
  • Assets provided by Tech Mahindra or its customers must not be used for personal use.
  • Associates shall not download / store any Personal Data including their own Personal Data not related to Tech Mahindra business operations on either a Customer or Tech Mahindra provided device.
  • No associate can collect or use Personal Data on cloud services without authorization from ISG.
  • No associate can make personal use of Personal Data for any unauthorized purpose including without limitation, marketing or promotions of any kind.
  • Associates shall comply to privacy policy of customers while working within customer environment.
  • Associates should notify the Privacy breach to their designated Data Protection Officer via centralized incident management tool.


Personal Identifiable Information (PII) Sensitive Personal Identifiable Information (SPII)
  • An individual First and Last Name
  • An individual Internet ID (not necessary his/her name)
  • E-mail address
  • Mailing and/or Residential addresses
  • Telephone number
  • Title
  • Birth date
  • Gender
  • Occupation
  • Contact information
  • Biographical information (where it combine with information that identifies someone).
  • Password, (note even if applicable law may not categories passwords as sensitive Tech M does and you should treat them accordingly)
  • National Insurance Number
  • Social Security Numbers
  • Race
  • Ethnic origin
  • Sexual orientation
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships that contains individuals health-related records (e.g. patient records, medical photographs, diet information, hospital information records, biological traits and genetic material)
  • Criminal records
  • legal investigations and proceedings, etc.
  • Billing records and Subscriber information
  • Financial information such as credit card or bank information
  • Health care and medical records
  • Biometric records


The privacy policy within Tech Mahindra complies to 8 core Privacy principles.

Processing personal data fairly and lawfully

Ensure that the data processing practices are followed as per the customer contract and legal agreement.

Purpose limitation for processing personal data

When personal data is collected, it should be processed for that specific purpose only.

Holding only adequate personal data for limited period

We must only collect and hold personal data for the appropriate time period.

Maintain accurate personal data

Data processed must be accurate with integrity maintained.

Retention of Personal Data

Processed data shall not be kept for longer than is necessary for that purpose

Processed in accordance with Right of Individuals

Data shall be processed in accordance with the rights of data subjects

Information Security

Appropriate technical and organizational measures shall be taken to prevent unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

To implement legal, technical, process safeguards before sending data outside EEA

Personal data shall not be transferred to a country or territory outside the EEA(Cross Border Personal information)Requirements unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

BMS Links

PIA Template Processor
PIA Template Controller
Account Level PIA
Data Privacy Incident Response Policy
Incident Management System
Privacy control checklist
Data minimization policy
Data Retention Policy
Data Privacy and Protection Policy
Data Privacy Framework policy
Privacy Policy
Cookie Policy
Any Queries related to Data Privacy , please write to : ISGDataProtection@TechMahindra.com

Any Associates who want to raise Data Subject request : Data Subject Request

Copyright © Tech Mahindra Limited. All Rights Reserved