GDPR came into place on May 25, 2018 and is a regulation that protects an individual’s rights with regard to personal data and privacy of data linked to them.
As a organisation with a large European footprint, GTT takes GDPR very seriously and has stringent security controls that comply with GDPR. We follow the regulation's guidance itself, and are also aligned with internationally recognised security methodologies, frameworks, and standards.
You can find our full security and compliance section below.
Most standards and frameworks for information security focus on people, processes and technology. Additionally, the same standards have specific controls relating to the physical security of assets used to store or access information. Find out more about GDPR and how we comply by reading our FAQs below.
ISO 27001 is an internationally renowned standard viewed as a benchmark by most organisations and security professionals. The ISO 27001 standard contains the core security controls that other standards use as a base. GTT holds ISO 27001: 2013 compliance at multiple locations, please view the certifications list for further information.
The ISO 27001 series focuses on the entire information security stack. All information security aspects surrounding the core elements of people, process, organisation and technology are considered. It also has specific controls around physical security which relate to physical access to assets that have information stored on them, or that can be used to access the information itself.
That standard itself is fundamentally centred around the deployment of an Information Security Management System (ISMS) which helps to ensure that an organisation understands its information security posture and drives to continually improve it.
GTT uses a continuous security improvement approach to all information security objectives. This includes the continuous identification, grading, control and maintenance of risks. The GTT lifecycle is based upon the Edward Deming Plan, Do, Check and Act (PDCA) lifecycle which is internationally recognised and used by numerous standards and frameworks.
GTT is assessed and regularly audited by independent third parties against the ISO 27001 standard to ensure that high standards are maintained continuously.
SOC stands for “Service Organization Control”. SOC1 and SOC 2 service assurance reports are provided by independent third parties (auditors) against defined control framework.
A SOC1 report examines the Controls of a Service Organisation which are relevant to a user entity’s internal control over financial reporting. It is specifically intended to meet the needs of customers who require assurance on the effectiveness of the controls at the service organisation on the customers’ financial statements. GTT’s SOC 1 scope includes Managed Hosting and VDC services.
A SOC 2 audit report provides detailed information and assurance about security, availability, processing integrity and confidentiality controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). GTT’s SOC 2 scope includes the SD-WAN and SIP Trunking services.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard governed by the PCI Security Standards Council. The Council was founded by the major payment brands - American Express, Discover, Visa, JCB and MasterCard. Its goal is to develop and maintain common standards which encourage cardholder data security and to facilitate broad adoption of consistent data security measures across the industry.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.
If you want to request the GTT PCI DSS Attestation of Compliance (AOC) and Responsibility Model, please contact us your Account Manager.
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
This international IT service management (ITSM) standard enables IT organisations (whether in-house, outsourced or external) to ensure that their ITSM processes are aligned both with the needs of the business and with international best practice.
ISO 20000 helps organisations benchmark how they deliver managed services, measure service levels and assess their performance. It is broadly aligned with, and draws strongly on, ITIL.
Q. Who does the GDPR affect?
A. The General Data Protection Regulation (GDPR) not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Q. What are the penalties for non-compliance?
A. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors -- meaning the GDPR subjects data processors to direct liability in certain circumstances, for example in relation to a data security breach and joint liability to data subjects where the data controller is at fault.
Q. What constitutes personal data?
A. Any information related to a person, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q. Is GTT GDPR certified?
A. GDPR is a regulation which, if in scope, organisations must comply with. At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. GTT holds an ISO 27001:2013 Information Security Management System certification and our technical and organisational measures are based on the Plan, Do, Check, Act cycle. GTT is assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained and continuously improved.
Q. How does GTT comply with GDPR?
A. Our customers choose to work with us because a fundamental pillar for the success of our business is our robust data privacy framework. It ensures compliance with current privacy and data protection laws and encourages a culture of best practice when it comes to handling data. As a telecommunications service provider we adhere to the ePrivacy Directive (Directive on privacy and electronic communications) and also follow strict country specific telecommunication legislation which sometimes may override GDPR.
GTT applies what we consider to be state of the art technology to secure the data that we hold on behalf of our customers. By further implementing detailed policies, procedures, and processes that are certified as compliant with the most rigorous industry accepted data security standards, we are fully committed to providing compliant, multi-jurisdictional, segregated and secure solutions for all our customers. GTT is also aligned with multiple well-known certification schemes such as ISO 27001 and PCI-DSS. GTT is committed to adhering to these standards and applies robust technical, physical and cyber security controls.
Q. How does GTT carry out key technical aspects of GDPR, such as ‘privacy by design’ or data privacy impact assessments (DPIA)?
A. GTT carries out data privacy impact assessments on all aspects of its business, both internally and for products used by our customers. GTT applies privacy by design via governance processes such as architecture boards and as a key milestone at the beginning of every project.
Q. Can my solution or service from GTT be tailored for my organisation’s GDPR compliance needs?
A. Yes, GTT can tailor any bespoke service for our customers’ requirements and to meet GDPR. We have several cyber security offerings that can help our customers achieve a strong level of cyber security maturity, and with it, GDPR compliance.
Q. Where can I learn more about GDPR compliance in GTT. How can I request personal data protection support from GTT?
A. GTT has established a Privacy Policy that we encourage our customers, employees, agents, contractors, and suppliers to read. The purpose of this Policy is to outline how GTT will collect and manage personal information in accordance with all relevant privacy legislations. GTT has a Data Protection team responsible for ensuring GDPR compliance. The Data Protection team can be contacted via e-mail to: [email protected]
