What is GDPR?
On May 25, 2018, the landmark European privacy law, the General Data Protection Regulation (GDPR), will go into effect. The goal of the GDPR is to strengthen and unify data protection for all individuals within the European Union (EU). Key initiatives put forth by GDPR include Privacy by Design, Transparency and Responsibility and Accountability.
Arbor Networks is the Security Division of NETSCOUT. NETSCOUT fully supports the goals of GDPR and is working to further strengthen the privacy principles already included in our products and processes.
To learn more about GDPR, visit the official GDPR website of the EU.
Commitment to Readiness
NETSCOUT has been working towards compliance with the GDPR since its adoption in the spring of 2016. We established a global project to prepare for GDPR, both for our internal processes and for our commercial offerings. Our customers will rely on NETSCOUT’s offerings to achieve GDPR compliance within their own organizations and we are well-positioned to help them meet this critical need.
As part of its GDPR project, and our ongoing commitment to privacy by design, NETSCOUT is working to embed data protection principles even more deeply into our business processes and products, with the objective that technical and organizational security measures limit, by default, the amount and use of personal data. This work will also strengthen controls already in place to limit access to personal data.
How NETSCOUT Can Help
What is the GDPR?
A new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
What Does the GDPR Regulate?
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
How Does GDPR Change Privacy Law?
The GDPR provides more privacy rights to EU individuals and places significant obligations on organization. Some of the key changes are
- Expanded rights for EU individuals: The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals
- Model Clauses: The GDPR officially recognizes the model contract clauses set out in the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to Processors established in third countries, under the Directive 95/46/EC ("Model Clauses") as a means for organizations to legalize transfers of personal data outside the EU. To enter into data protection terms that include the Model Clauses with NETSCOUT, visit NETSCOUT Data Privacy Addendum.
- Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred
- One stop shop: The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues
Does the GDPR Require EU Personal Data to Stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. NETSCOUT’s Data Privacy Addendum which attach the European Commission’s model clauses, will continue to allow the legal transfers of EU personal data outside of the EU.
Does the GDPR Require a Data Privacy Officer (DPO)?
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage inlarge scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If an organization does not fall into one of these categories, it does not need to appoint a DPO. As the provider of Service Assurance and Security solutions, NETSCOUT is not a public authority, does not engage in large scale systematic monitoring and does not engage in large scale processing of sensitive personal data.
NETSCOUT Compliance with the GDPR
NETSCOUT is committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a summary of NETSCOUT's compliance with many of the key areas of the GDPR.
- NETSCOUT ensures the confidentiality and availability of the personal data that it processes and that appropriate technical and organizational measures are taken to protect such personal data.
- NETSCOUT safeguards include:
- Physical safeguards, such as locked doors and file cabinets, controlled access to our facilities, and secure destruction of media containing personal information.
- Technology safeguards, such as use of anti-virus and encryption software, and monitoring of our systems and data centers to ensure compliance with our security policies. We also complete quarterly external vulnerability scans, an annual penetration test, and an annual gap/risk assessment.
- Organizational safeguards, through training and awareness programs on security and privacy, to ensure that all employees understand the importance and means by which they must protect personal data, as well as through privacy policies and policy standards that govern how NETSCOUT treats personal.
- NETSCOUT will be accountable and responsible to ensure its own compliance under the GDPR
- The GDPR officially recognizes the model contract clauses set out in the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to Processors established in third countries, under the Directive 95/46/EC ("Model Clauses") as a means for organizations to legalize transfers of personal data outside the EU. To enter into data protection terms that include the Model Clauses with NETSCOUT, visit NETSCOUT Data Privacy Addendum.
- NETSCOUT protects personal data through reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.
- NETSCOUT performs robust security measures on its infrastructure (both on premise and in the cloud) such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
- NETSCOUT’s infrastructure (both on premise and in the cloud) is hardened against DDoS attacks and monitored 24x7x365.
- All NETSCOUT personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
- NETSCOUT encrypts all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible.
- NETSCOUT has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data.