SSEへのジャーニーを加速します。 RSAでNetskopeブースにお越しください

  • セキュリティサービスエッジ製品

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護します。

  • Borderless SD-WAN

    すべてのリモートユーザー、デバイス、サイト、クラウドへの安全で高性能なアクセスを自信を持って提供します。

  • プラットフォーム

    世界最大のセキュリティプライベートクラウドでの比類のない可視性とリアルタイムデータおよび脅威保護。

ネットスコープ、2022年Gartner社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラントでリーダーの1社と位置付けられる

レポートを読む 製品概要に移動
Netskope Gartner マジック・クアドラント 2022 SSEリーダー
Gartner® Quick Answer:NetskopeのInfiot買収はSD-WAN、SASE、SSEプロジェクトにどのような影響を与えますか?

レポートを読む
Gartner quick answer
Netskope は、データと脅威の保護、および安全なプライベートアクセスを実現するための機能を統合した、最新のクラウドセキュリティスタックを提供します。

プラットフォームを探索する
大都市の俯瞰図
  • 変身

    デジタルトランスフォーメーションを保護します。

  • セキュリティの近代化

    今日と明日のセキュリティの課題に対応します。

  • フレームワーク

    サイバーセキュリティを形作る規制の枠組みを採用する。

  • 業界ソリューション

    Netskopeは、クラウドに安全に移行するためのプロセスを世界最大規模の企業に提供しています。

最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

詳しくはこちら
Lighted highway through mountainside switchbacks
シングルパスSSEフレームワークを使用して、他のセキュリティソリューションを回避することが多い脅威を防止します。

詳しくはこちら
Lighting storm over metropolitan area
SSEおよびSASE展開のためのゼロトラストソリューション

詳しくはこちら
Boat driving through open sea
Netskopeは、クラウドサービス、アプリ、パブリッククラウドインフラストラクチャを採用するための安全でクラウドスマートかつ迅速な旅を可能にします。

詳しくはこちら
Wind turbines along cliffside
  • 導入企業

    Netskopeは、フォーチュン100の25以上を含む世界中の2,000以上の顧客にサービスを提供しています。

  • カスタマーソリューション

    お客様のため、Netskopeでお客様の成功を確実にすべく、あらゆるステップを共に歩んでまいります。

  • トレーニングと認定

    Netskope training will help you become a cloud security expert.

私たちは、お客様が何にでも備えることができるように支援します

お客様を見る
Woman smiling with glasses looking out window
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

詳しくはこちら
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

詳しくはこちら
Group of young professionals working
  • リソース

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ

    Netskopeがセキュリティサービスエッジ(SSE)を通じてセキュリティとネットワークの変革を可能にする方法を学びましょう。

  • イベント&ワークショップ

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ

    サイバーセキュリティ百科事典で知っておくべきことすべて。

セキュリティビジョナリーポッドキャスト

エピソード 10: 透明性によるセキュリティ関係の構築
In this episode, Mike and Andreas discuss aligning with works councils, forging business relationships through transparency, and embedding security into value streams.

ポッドキャストを再生する
Building Security Relationships Through Transparency
Netskopeがセキュリティサービスエッジ(SSE)機能を介してゼロトラストおよびSASEジャーニーを実現する方法に関する最新情報をお読みください。

ブログを読む
Sunrise and cloudy sky
RSAのネツコペ

今年のRSAカンファレンスでNetskopeブースにお越しいただき、SASEとゼロトラストに関するお話をお聞きください。サウスホールのブースにお立ち寄りいただき、エキスパートとの情報交換や、講演セッションへの登録など、ぜひイベントにご参加ください!

詳しくはこちら
RSA logo
セキュリティサービスエッジとは何ですか?

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

詳しくはこちら
Four-way roundabout
  • 会社概要

    クラウド、データ、ネットワークセキュリティの課題の先取りをサポート

  • ネットスコープが選ばれる理由

    クラウドの変革とどこからでも機能することで、セキュリティの機能方法が変わりました。

  • リーダーシップ

    ネットスコープの経営陣はお客様を成功に導くために全力を尽くしています。

  • パートナー

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

Netskopeは仕事の未来を可能にします。

詳しくはこちら
Curvy road through wooded area
Netskopeは、組織がゼロトラストの原則を適用してデータを保護できるように、クラウド、データ、およびネットワークのセキュリティを再定義しています。

詳しくはこちら
Switchback road atop a cliffside
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
Group of hikers scaling a snowy mountain
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

詳しくはこちら
Group of diverse young professionals smiling

GDPR and Data Processing Agreements

Dec 12 2017
Tags
CASB
Cloud Security
GDPR
GDPR Compliance

Any business that is subject to the EU General Data Protection Regulation (GDPR) as a Controller will need to have in place an appropriate contract with any other Controller that it jointly shares data with if that Controller particularly is outside the EU. More importantly any Controller that is subject to GDPR will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.

GDPR applies to both Controllers and Processors that are established in the EU (e.g. have EU legal entities) but also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behaviour of individuals as far as such behaviour takes place within the EU.

Many Processors are offering hosted or cloud services which are not EU located but which clearly cause the Processor to be caught by GDPR. Controllers or Processors not established in the EU, but where they are caught by GDPR, must designate in writing a representative. That representative must be established in a member state where the data subjects whose data are being processed by the Controller or Processor are located (or where most of them are located).

The appointment of a representative means that all data protection issues from data subjects or data protection authorities will be addressed to that representative but the appointment of the representative does not affect the responsibility and liability of the Controller nor Processor under GDPR.

GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.

Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore Controllers should be carrying out an audit of their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition putting in place due diligence and procurement requirements in respects of contracts that are going to be entered into to which GDPR will apply.

Articles 28 – 36 set out issues that must be addressed in the Data Protection Agreement which include that:

  • The Processor must have adequate information security in place;
  • The Processor must not use sub Processors without consent of the Controller;
  • The Processor must cooperate with the relevant Data Protection Authorities in the event of an enquiry;
  • The Processor must report data breaches to the Controller without delay;
  • The Processor may need to appoint a mandatory Data Protection Officer;
  • The Processor must keep records of all processing activities;
  • The Processor must comply with EU trans border data transfer rules ;
  • The Processor must help the Controller to comply with data subjects rights;
  • The Processor must assist the Data Controller in managing the consequences of data breaches;
  • The Processor must delete or return all personal data at the end of the contract at the choice of the Controller; and
  • The Processor must inform the Controller if the processing instructions infringe GDPR.

The urgent action for Controllers right now is to ensure that in respect of Data Processing Agreements.. –

  • There are documented instructions;
  • There is evidence of due diligence by the Controller over the suitability of the Processor in respect of the types of personal data being processed;
  • There are suitable confidentiality clauses in the Agreement;
  • The Processor has adequate information security in place;
  • The contract manages the downline use of sub Processors.
  • The contract puts in place measures for the Processor to help the Controller comply with Data Subject Rights;
  • There are mechanisms to assist in cooperation with the Controller and the relevant Data Protection Authorities;
  • There are processes in place to deal with data incidents and data breach notifications and
  • There are processes in place to deal with destruction or return of personal data at the end of the Agreement.

In addition to those needs, Processors should anticipate that Controllers will want to revisit not only the mandatory terms under GDPR but also the issues around warranties and indemnities as well as the question of suitable insurance.

Since Controllers and Processors are equally bound to comply with GDPR, in relation to international data transfers there will need to be in place suitable solutions in relation to personal data being transferred from the EU or more correctly the European Economic Area to other jurisdictions.

In relation to international data transfers, Privacy Shield is an approved solution to the extent that personal data is going from the EEA to the US, but where data is being transferred across many borders then other solutions such as the European Commission approved standard contractual clauses or Binding Corporate Rules may be more appropriate.

Whilst there are also a number of jurisdictions that have been deemed “approved” jurisdictions by the EU (such as Argentina, Canada and Israel), there is considerably uncertainty as to the best solution to use given that Privacy Shield is under regular review by the European Commission as to its robustness as a data transfer solution. Equally the standard contractual clauses are currently under review in the European Court of Justice and in addition the European Commission recently announced that it is reviewing all of the countries that have been deemed “adequate” in the past to ensure that their laws are still fit for purpose in terms of the adequate protection of the rights of individuals.

All of the above raises the bar in relation to the pressures on both a Controller as well as its Processor in relation to any form of data processing whether cloud or otherwise.

Processor.

Controllers should be putting in place a number of due diligence activities in respect of the Processors that they use which can be summarised as data protection audit, documentation of data processing activities and obviously review.

Data protection audit or assessments via a Controller of a Processor might include:

  • Do they process personal data and/or special categories of data (e.g. criminal records, children’s data, health data)
  • What are the data flows;
  • What is the Processors information securities policies and procedures;
  • Has the Processor had a history of breaches (notified or not);
  • Has the Processor ever been audited or investigated by a Data Protection Authority (does the data Processor have a Data Protection Officer).

Documented data processing activities should address:

  • Data processing mapping for both intragroup and third party processing;
  • Do the Terms and Conditions of the Processor in any way claim ownership of personal data received from the Controller;
  • How are data retention and data destruction practices managed;
  • How are the use of sub-processors contractually managed.

 

Review of policies and procedures might require the data Processor to produce:

  • Data incident response policy and procedures;
  • Data sharing policy and procedures;
  • Standard operating procedures for vetting of staff;
  • Information security practices;
  • Cyber risk assessment and compliance;
  • Evidence of training.

Prudent processors must anticipate that their customers as controllers will carry out due diligence and seek to impose new contractual terms and therefore processors should immediately:

  • Carry out a GDPR Compliance Assessment;
  • Rewrite their Terms of Business as appropriate;
  • Audit their sub-processors and the contractual terms with them;
  • Review their insurance cover;
  • Address data transfer solutions;
  • Assess their policies and procedures;
  • Decide if a mandatory Data Protection Officer is necessary;
  • Put in place staff training on policies and procedures; and
  • Carry out a genuine assessment as to whether or not they are actually a mere processor or in reality are a joint data controller with their customers.