¡El futuro de Zero Trust y de SASE es ahora! Regístrese ahora

cerrar
cerrar
  • Servicio de seguridad Productos Edge chevron

    Protéjase contra las amenazas avanzadas y en la nube y salvaguarde los datos en todos los vectores.

  • Borderless SD-WAN chevron

    Proporcione con confianza un acceso seguro y de alto rendimiento a cada usuario remoto, dispositivo, sitio y nube.

  • Secure Access Service Edge chevron

    Netskope SASE proporciona una solución SASE nativa en la nube, totalmente convergente y de un único proveedor.

La plataforma del futuro es Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) y Private Access for ZTNA integrados de forma nativa en una única solución para ayudar a todas las empresas en su camino hacia el Servicio de acceso seguro Arquitectura perimetral (SASE).

Todos los productos
Vídeo de Netskope
Next Gen SASE Branch es híbrida: conectada, segura y automatizada

Netskope Next Gen SASE Branch converge Context-Aware SASE Fabric, Zero-Trust Hybrid Security y SkopeAI-Powered Cloud Orchestrator en una oferta de nube unificada, marcando el comienzo de una experiencia de sucursal completamente modernizada para la empresa sin fronteras.

Obtenga más información sobre Next Gen SASE Branch
Personas en la oficina de espacios abiertos.
Diseño de una arquitectura SASE para Dummies

Obtenga un ejemplar gratuito del único manual que necesitará sobre diseño de una arquitectura SASE.

Obtenga el eBook
Adopte una arquitectura de borde de servicio de acceso seguro (SASE)

Netskope NewEdge es la nube privada de seguridad más grande y de mayor rendimiento del mundo y ofrece a los clientes una cobertura de servicio, un rendimiento y una resiliencia incomparables.

Más información sobre NewEdge
NewEdge
Tu red del mañana

Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.

Obtenga el whitepaper
Tu red del mañana
Netskope Cloud Exchange

Cloud Exchange (CE) de Netskope ofrece a sus clientes herramientas de integración eficaces para que saquen partido a su inversión en estrategias de seguridad.

Más información sobre Cloud Exchange
Vídeo de Netskope
Cambie a los servicios de seguridad en la nube líderes del mercado con una latencia mínima y una alta fiabilidad.

Más información sobre NewEdge
Lighted highway through mountainside switchbacks
Habilite de forma segura el uso de aplicaciones de IA generativa con control de acceso a aplicaciones, capacitación de usuarios en tiempo real y la mejor protección de datos de su clase.

Descubra cómo aseguramos el uso generativo de IA
Habilite de forma segura ChatGPT y IA generativa
Soluciones de confianza cero para implementaciones de SSE y SASE

Más información sobre Confianza Cero
Boat driving through open sea
Netskope logra la alta autorización FedRAMP

Elija Netskope GovCloud para acelerar la transformación de su agencia.

Más información sobre Netskope GovCloud
Netskope GovCloud
  • Recursos chevron

    Obtenga más información sobre cómo Netskope puede ayudarle a proteger su viaje hacia la nube.

  • Blog chevron

    Descubra cómo Netskope permite la transformación de la seguridad y las redes a través del servicio de seguridad (SSE).

  • Eventos & Workshops chevron

    Manténgase a la vanguardia de las últimas tendencias de seguridad y conéctese con sus pares.

  • Seguridad definida chevron

    Todo lo que necesitas saber en nuestra enciclopedia de ciberseguridad.

Podcast Security Visionaries

Galletas, no bizcochos
La anfitriona Emily Wearmouthas se sienta con los expertos David Fairman y Zohar Hod para discutir el pasado, el presente y el futuro de las cookies de Internet.

Reproducir el pódcast
Podcast: Galletas, no galletas
Últimos blogs

Cómo Netskope puede habilitar el viaje de Zero Trust y SASE a través de las capacidades del borde del servicio de seguridad (SSE).

Lea el blog
Sunrise and cloudy sky
SASE Week 2023: ¡Su viaje SASE comienza ahora!

Sesiones de repetición de la cuarta SASE Week.

Explorar sesiones
SASE Week 2023
¿Qué es Security Service Edge (SSE)?

Explore el lado de la seguridad de SASE, el futuro de la red y la protección en la nube.

Más información sobre el servicio de seguridad perimetral
Four-way roundabout
Ayudamos a nuestros clientes a estar preparados para cualquier situación

Ver nuestros clientes
Woman smiling with glasses looking out window
El talentoso y experimentado equipo de servicios profesionales de Netskope proporciona un enfoque prescriptivo para su exitosa implementación.

Más información sobre servicios profesionales
Servicios profesionales de Netskope
La comunidad de Netskope puede ayudarlo a usted y a su equipo a obtener más valor de los productos y las prácticas.

Acceder a la Netskope Community
La comunidad de Netskope
Asegure su viaje de transformación digital y aproveche al máximo sus aplicaciones en la nube, web y privadas con la capacitación de Netskope.

Infórmese sobre Capacitaciones y Certificaciones
Group of young professionals working
  • Empresa chevron

    Le ayudamos a mantenerse a la vanguardia de los desafíos de seguridad de la nube, los datos y la red.

  • Por qué Netskope chevron

    La transformación de la nube y el trabajo desde cualquier lugar han cambiado la forma en que debe funcionar la seguridad.

  • Liderazgo chevron

    Nuestro equipo de liderazgo está firmemente comprometido a hacer todo lo necesario para que nuestros clientes tengan éxito.

  • Partners chevron

    Nos asociamos con líderes en seguridad para ayudarlo a asegurar su viaje a la nube.

Apoyar la sostenibilidad a través de la seguridad de los datos

Netskope se enorgullece de participar en Vision 2045: una iniciativa destinada a crear conciencia sobre el papel de la industria privada en la sostenibilidad.

Descubra más
Apoyando la sustentabilidad a través de la seguridad de los datos
La más Alta en Ejecución. Más Avanzada en Visión.

Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.

Obtenga el informe
Netskope ha sido reconocido como Líder en el Gartner® Magic Quadrant™ de 2023 en SSE.
Pensadores, constructores, soñadores, innovadores. Juntos, ofrecemos soluciones de seguridad en la nube de vanguardia para ayudar a nuestros clientes a proteger sus datos y usuarios.

Conozca a nuestro equipo
Group of hikers scaling a snowy mountain
La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.

Más información sobre los socios de Netskope
Group of diverse young professionals smiling

GDPR and Data Processing Agreements

Dec 12 2017
Etiquetas
CASB
Cloud Security
RGPD
GDPR Compliance

Any business that is subject to the EU General Data Protection Regulation (GDPR) as a Controller will need to have in place an appropriate contract with any other Controller that it jointly shares data with if that Controller particularly is outside the EU. More importantly any Controller that is subject to GDPR will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.

GDPR applies to both Controllers and Processors that are established in the EU (e.g. have EU legal entities) but also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behaviour of individuals as far as such behaviour takes place within the EU.

Many Processors are offering hosted or cloud services which are not EU located but which clearly cause the Processor to be caught by GDPR. Controllers or Processors not established in the EU, but where they are caught by GDPR, must designate in writing a representative. That representative must be established in a member state where the data subjects whose data are being processed by the Controller or Processor are located (or where most of them are located).

The appointment of a representative means that all data protection issues from data subjects or data protection authorities will be addressed to that representative but the appointment of the representative does not affect the responsibility and liability of the Controller nor Processor under GDPR.

GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.

Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore Controllers should be carrying out an audit of their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition putting in place due diligence and procurement requirements in respects of contracts that are going to be entered into to which GDPR will apply.

Articles 28 – 36 set out issues that must be addressed in the Data Protection Agreement which include that:

  • The Processor must have adequate information security in place;
  • The Processor must not use sub Processors without consent of the Controller;
  • The Processor must cooperate with the relevant Data Protection Authorities in the event of an enquiry;
  • The Processor must report data breaches to the Controller without delay;
  • The Processor may need to appoint a mandatory Data Protection Officer;
  • The Processor must keep records of all processing activities;
  • The Processor must comply with EU trans border data transfer rules ;
  • The Processor must help the Controller to comply with data subjects rights;
  • The Processor must assist the Data Controller in managing the consequences of data breaches;
  • The Processor must delete or return all personal data at the end of the contract at the choice of the Controller; and
  • The Processor must inform the Controller if the processing instructions infringe GDPR.

The urgent action for Controllers right now is to ensure that in respect of Data Processing Agreements.. –

  • There are documented instructions;
  • There is evidence of due diligence by the Controller over the suitability of the Processor in respect of the types of personal data being processed;
  • There are suitable confidentiality clauses in the Agreement;
  • The Processor has adequate information security in place;
  • The contract manages the downline use of sub Processors.
  • The contract puts in place measures for the Processor to help the Controller comply with Data Subject Rights;
  • There are mechanisms to assist in cooperation with the Controller and the relevant Data Protection Authorities;
  • There are processes in place to deal with data incidents and data breach notifications and
  • There are processes in place to deal with destruction or return of personal data at the end of the Agreement.

In addition to those needs, Processors should anticipate that Controllers will want to revisit not only the mandatory terms under GDPR but also the issues around warranties and indemnities as well as the question of suitable insurance.

Since Controllers and Processors are equally bound to comply with GDPR, in relation to international data transfers there will need to be in place suitable solutions in relation to personal data being transferred from the EU or more correctly the European Economic Area to other jurisdictions.

In relation to international data transfers, Privacy Shield is an approved solution to the extent that personal data is going from the EEA to the US, but where data is being transferred across many borders then other solutions such as the European Commission approved standard contractual clauses or Binding Corporate Rules may be more appropriate.

Whilst there are also a number of jurisdictions that have been deemed “approved” jurisdictions by the EU (such as Argentina, Canada and Israel), there is considerably uncertainty as to the best solution to use given that Privacy Shield is under regular review by the European Commission as to its robustness as a data transfer solution. Equally the standard contractual clauses are currently under review in the European Court of Justice and in addition the European Commission recently announced that it is reviewing all of the countries that have been deemed “adequate” in the past to ensure that their laws are still fit for purpose in terms of the adequate protection of the rights of individuals.

All of the above raises the bar in relation to the pressures on both a Controller as well as its Processor in relation to any form of data processing whether cloud or otherwise.

Processor.

Controllers should be putting in place a number of due diligence activities in respect of the Processors that they use which can be summarised as data protection audit, documentation of data processing activities and obviously review.

Data protection audit or assessments via a Controller of a Processor might include:

  • Do they process personal data and/or special categories of data (e.g. criminal records, children’s data, health data)
  • What are the data flows;
  • What is the Processors information securities policies and procedures;
  • Has the Processor had a history of breaches (notified or not);
  • Has the Processor ever been audited or investigated by a Data Protection Authority (does the data Processor have a Data Protection Officer).

Documented data processing activities should address:

  • Data processing mapping for both intragroup and third party processing;
  • Do the Terms and Conditions of the Processor in any way claim ownership of personal data received from the Controller;
  • How are data retention and data destruction practices managed;
  • How are the use of sub-processors contractually managed.

 

Review of policies and procedures might require the data Processor to produce:

  • Data incident response policy and procedures;
  • Data sharing policy and procedures;
  • Standard operating procedures for vetting of staff;
  • Information security practices;
  • Cyber risk assessment and compliance;
  • Evidence of training.

Prudent processors must anticipate that their customers as controllers will carry out due diligence and seek to impose new contractual terms and therefore processors should immediately:

  • Carry out a GDPR Compliance Assessment;
  • Rewrite their Terms of Business as appropriate;
  • Audit their sub-processors and the contractual terms with them;
  • Review their insurance cover;
  • Address data transfer solutions;
  • Assess their policies and procedures;
  • Decide if a mandatory Data Protection Officer is necessary;
  • Put in place staff training on policies and procedures; and
  • Carry out a genuine assessment as to whether or not they are actually a mere processor or in reality are a joint data controller with their customers.

Stay informed!

Subscribe for the latest from the Netskope Blog