cerrar
cerrar
Su red del mañana
Su red del mañana
Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.
          Descubra Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Netskope debuta como Líder en el Cuadrante Mágico™ de Gartner® para Single-Vendor SASE
              Protección de la IA generativa para principiantes
              Protección de la IA generativa para principiantes
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Prevención moderna de pérdida de datos (DLP) para Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Libro SD-WAN moderno para principiantes de SASE
                  Modern SD-WAN for SASE Dummies
                  Deje de ponerse al día con su arquitectura de red
                    Entendiendo dónde está el riesgo
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                            Netskope GovCloud
                            Netskope logra la alta autorización FedRAMP
                            Elija Netskope GovCloud para acelerar la transformación de su agencia.
                              Let's Do Great Things Together
                              La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.
                                Soluciones Netskope
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Soporte técnico Netskope
                                  Soporte técnico Netskope
                                  Nuestros ingenieros de soporte cualificados ubicados en todo el mundo y con distintos ámbitos de conocimiento sobre seguridad en la nube, redes, virtualización, entrega de contenidos y desarrollo de software, garantizan una asistencia técnica de calidad en todo momento
                                    Vídeo de Netskope
                                    Netskope Training
                                    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube. Estamos aquí para ayudarle a proteger su proceso de transformación digital y aprovechar al máximo sus aplicaciones cloud, web y privadas.

                                      GDPR and Data Processing Agreements

                                      Dec 12 2017
                                      Tags
                                      CASB
                                      Cloud Security
                                      GDPR
                                      GDPR Compliance

                                      Any business that is subject to the EU General Data Protection Regulation (GDPR) as a Controller will need to have in place an appropriate contract with any other Controller that it jointly shares data with if that Controller particularly is outside the EU. More importantly any Controller that is subject to GDPR will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.

                                      GDPR applies to both Controllers and Processors that are established in the EU (e.g. have EU legal entities) but also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behaviour of individuals as far as such behaviour takes place within the EU.

                                      Many Processors are offering hosted or cloud services which are not EU located but which clearly cause the Processor to be caught by GDPR. Controllers or Processors not established in the EU, but where they are caught by GDPR, must designate in writing a representative. That representative must be established in a member state where the data subjects whose data are being processed by the Controller or Processor are located (or where most of them are located).

                                      The appointment of a representative means that all data protection issues from data subjects or data protection authorities will be addressed to that representative but the appointment of the representative does not affect the responsibility and liability of the Controller nor Processor under GDPR.

                                      GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.

                                      Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore Controllers should be carrying out an audit of their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition putting in place due diligence and procurement requirements in respects of contracts that are going to be entered into to which GDPR will apply.

                                      Articles 28 – 36 set out issues that must be addressed in the Data Protection Agreement which include that:

                                      • The Processor must have adequate information security in place;
                                      • The Processor must not use sub Processors without consent of the Controller;
                                      • The Processor must cooperate with the relevant Data Protection Authorities in the event of an enquiry;
                                      • The Processor must report data breaches to the Controller without delay;
                                      • The Processor may need to appoint a mandatory Data Protection Officer;
                                      • The Processor must keep records of all processing activities;
                                      • The Processor must comply with EU trans border data transfer rules ;
                                      • The Processor must help the Controller to comply with data subjects rights;
                                      • The Processor must assist the Data Controller in managing the consequences of data breaches;
                                      • The Processor must delete or return all personal data at the end of the contract at the choice of the Controller; and
                                      • The Processor must inform the Controller if the processing instructions infringe GDPR.

                                      The urgent action for Controllers right now is to ensure that in respect of Data Processing Agreements.. –

                                      • There are documented instructions;
                                      • There is evidence of due diligence by the Controller over the suitability of the Processor in respect of the types of personal data being processed;
                                      • There are suitable confidentiality clauses in the Agreement;
                                      • The Processor has adequate information security in place;
                                      • The contract manages the downline use of sub Processors.
                                      • The contract puts in place measures for the Processor to help the Controller comply with Data Subject Rights;
                                      • There are mechanisms to assist in cooperation with the Controller and the relevant Data Protection Authorities;
                                      • There are processes in place to deal with data incidents and data breach notifications and
                                      • There are processes in place to deal with destruction or return of personal data at the end of the Agreement.

                                      In addition to those needs, Processors should anticipate that Controllers will want to revisit not only the mandatory terms under GDPR but also the issues around warranties and indemnities as well as the question of suitable insurance.

                                      Since Controllers and Processors are equally bound to comply with GDPR, in relation to international data transfers there will need to be in place suitable solutions in relation to personal data being transferred from the EU or more correctly the European Economic Area to other jurisdictions.

                                      In relation to international data transfers, Privacy Shield is an approved solution to the extent that personal data is going from the EEA to the US, but where data is being transferred across many borders then other solutions such as the European Commission approved standard contractual clauses or Binding Corporate Rules may be more appropriate.

                                      Whilst there are also a number of jurisdictions that have been deemed “approved” jurisdictions by the EU (such as Argentina, Canada and Israel), there is considerably uncertainty as to the best solution to use given that Privacy Shield is under regular review by the European Commission as to its robustness as a data transfer solution. Equally the standard contractual clauses are currently under review in the European Court of Justice and in addition the European Commission recently announced that it is reviewing all of the countries that have been deemed “adequate” in the past to ensure that their laws are still fit for purpose in terms of the adequate protection of the rights of individuals.

                                      All of the above raises the bar in relation to the pressures on both a Controller as well as its Processor in relation to any form of data processing whether cloud or otherwise.

                                      Processor.

                                      Controllers should be putting in place a number of due diligence activities in respect of the Processors that they use which can be summarised as data protection audit, documentation of data processing activities and obviously review.

                                      Data protection audit or assessments via a Controller of a Processor might include:

                                      • Do they process personal data and/or special categories of data (e.g. criminal records, children’s data, health data)
                                      • What are the data flows;
                                      • What is the Processors information securities policies and procedures;
                                      • Has the Processor had a history of breaches (notified or not);
                                      • Has the Processor ever been audited or investigated by a Data Protection Authority (does the data Processor have a Data Protection Officer).

                                      Documented data processing activities should address:

                                      • Data processing mapping for both intragroup and third party processing;
                                      • Do the Terms and Conditions of the Processor in any way claim ownership of personal data received from the Controller;
                                      • How are data retention and data destruction practices managed;
                                      • How are the use of sub-processors contractually managed.

                                       

                                      Review of policies and procedures might require the data Processor to produce:

                                      • Data incident response policy and procedures;
                                      • Data sharing policy and procedures;
                                      • Standard operating procedures for vetting of staff;
                                      • Information security practices;
                                      • Cyber risk assessment and compliance;
                                      • Evidence of training.

                                      Prudent processors must anticipate that their customers as controllers will carry out due diligence and seek to impose new contractual terms and therefore processors should immediately:

                                      • Carry out a GDPR Compliance Assessment;
                                      • Rewrite their Terms of Business as appropriate;
                                      • Audit their sub-processors and the contractual terms with them;
                                      • Review their insurance cover;
                                      • Address data transfer solutions;
                                      • Assess their policies and procedures;
                                      • Decide if a mandatory Data Protection Officer is necessary;
                                      • Put in place staff training on policies and procedures; and
                                      • Carry out a genuine assessment as to whether or not they are actually a mere processor or in reality are a joint data controller with their customers.
                                      author image
                                      Robert Bond
                                      Browse recent articles by Robert Bond, one of the contributors at Netskope. Discover the latest trends and updates within the cloud and network space.
                                      Browse recent articles by Robert Bond, one of the contributors at Netskope. Discover the latest trends and updates within the cloud and network space.

                                      ¡Mantente informado!

                                      Suscríbase para recibir lo último del blog de Netskope