GDPR came into place on May 25, 2018 and is a regulation that protects an individual’s rights with regard to personal data and privacy of data linked to them.
As a organisation with a large European footprint, GTT takes GDPR very seriously and has stringent security controls that comply with GDPR. We follow the regulation's guidance itself, and are also aligned with internationally recognised security methodologies, frameworks, and standards.
You can find our full security and compliance section below.
Most standards and frameworks for information security focus on people, processes and technology. Additionally, the same standards have specific controls relating to the physical security of assets used to store or access information. Find out more about GDPR and how we comply by reading our FAQs below.
ISO27001 is an internationally renowned standard viewed as a benchmark by most organisations and security professionals. The ISO27001 standard contains the core security controls that other standards use as a base. GTT holds ISO27001: 2013 compliance at multiple locations, please view the certifications list for further information.
The ISO27001 series focuses on the entire information security stack. All information security aspects surrounding the core elements of people, process, organisation and technology are considered. It also has specific controls around physical security which relate to physical access to assets that have information stored on them, or that can be used to access the information itself.
That standard itself is fundamentally centered around the deployment of an Information Security Management System (ISMS) which helps to ensure that an organisation understands its information security posture and drives to continually improve it.
GTT uses a continuous security improvement approach to all information security objectives. This includes the continuous identification, grading, control and maintenance of risks. The GTT lifecycle is based upon the Edward Deming Plan, Do, Check and Act (PDCA) lifecycle which is internationally recognised and used by numerous standards and frameworks.
GTT is assessed and regularly audited by independent third parties against the ISO27000 standard to ensure that high standards are maintained continuously.
SSAE stands for “Statement on Standards for Attestation Engagements” which is an American standard with wide international acceptance. ISAE stands for "International Standard for Assurance Engagements". SOC stands for “Service Organisation Control”. SOC1 and SOC2 service auditor reports are provided by independent third parties against defined standards.
SOC1 audits are performed against an American standard called SSAE 16. A SOC1 report, also known as an SSAE 16 report, examines the Controls of a Service Organisation which are relevant to a user entity’s internal control over financial reporting. A SOC 1 audit report is on controls related to the protection of financial statements. It is specifically intended to meet the needs of customers who require assurance on the effectiveness of the controls at the service organisation on the customers’ financial statements. This report is only likely to be relevant to those service providers that offer financial reporting services.
A SOC2 report, also known as an ISAE 3402 report, is an audit report on defined control areas and as such is not focused so specifically on the needs of user entities in relation to financial reporting. GTT’s SOC2 report covers controls relevant to security, availability and confidentiality. SOC 2 audits are performed against American standards known as the Trust Services and AT 101.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard governed by the PCI Security Standards Council. The Council was founded by the major payment brands - American Express, Discover, Visa, JCB and MasterCard. Its goal is to develop and maintain common standards which encourage cardholder data security and to facilitate broad adoption of consistent data security measures across the industry.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.
If you want to request the GTT VDC PCI DSS Attestation of Compliance (AOC) and Responsibility Model, please contact us using the details at the top of this page.
BSI Grundschutz is a certificate which is based on the ISO 27001 standard. It ensures further precise controls are applied above ISO 27001 Information Security System (ISMS). The guidelines for the BSI Grundschutz certificate and how the certificate is gained are directly defined by the German authority Bundesamt für Sicherheit in der Informationstechnik (BSI).
Security based on BSI Grundschutz is important to GTT and provides assurance to customers that their colocation services are adequately protected against risks to the confidentiality, integrity and availability of information.
GTT is committed to BSI Grundschutz as a valued service to our premium hosting and colocation customers.
FINMA is Switzerland’s independent financial-markets regulator. FINMA requires that where financial institutions outsource elements of their IT, the outsourced services adhere to specific guidelines.
GTT’s FINMA report provides assurance from a third-party auditor that controls advised by FINMA for outsourced services are in place and operating appropriately.
The Public Services Network (PSN) is the UK government’s high-performance network, which helps public sector organisations work together, reduce duplication and share resources. To achieve PSN compliance a service provider needs to also be certified to ISO27001 and CAS(T). PSN requires further enhanced controls than CAS(T).
PSN enables GTT to provide services to Public Sector organisations at OFFICIAL status. GTT is a Direct Network Service Provider (DNSP) and connects to the Government Conveyance Network (GCN). The GCN is at the core of the PSN. GTT is committed to PSN as a valued service for our UK government customers.
CAS(T) stands for CESG Assured Services(Telecoms) and are additional controls required over and above the ISO27001 Information Security Management System (ISMS).
These controls relate to the adequate protection of telecommunications systems and services against risks to the confidentiality, integrity and availability of information. GTT is committed to business excellence and by implementing a robust ISMS.
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
This international IT service management (ITSM) standard enables IT organisations (whether in-house, outsourced or external) to ensure that their ITSM processes are aligned both with the needs of the business and with international best practice.
ISO 20000 helps organisations benchmark how they deliver managed services, measure service levels and assess their performance. It is broadly aligned with, and draws strongly on, ITIL.
This policy statement covers GTT Communications Inc.’s (“GTT” or the “Company”) UK business and is intended to satisfy the UK tax strategy publication requirement under Schedule 19 to the Finance Act 2016. This statement is made for the financial year ending 31 December 2019.
GTT’s Approach to Tax Risk Management and Governance
GTT is committed to (i) complying with tax laws in a responsible manner and (ii) building and maintaining professional and constructive working relationships with tax authorities based on principles of mutual transparency and trust. These commitments, which are explained in more detail below, apply to all countries and all employees.
GTT’s tax department proactively manages, reviews and reports on tax risks and employs an experienced tax team that is part of the central finance function reporting to the Chief Financial Officer (“CFO”). Day to day responsibility for these functions sits with the Vice President of Tax (“VP of Tax”) who reports to the CFO. The Company’s Audit Committee oversees the Company’s tax policies and affairs through periodic reviews.
The tax team, which is led by the VP of Tax, is accountable for the day-to-day management of tax affairs, unless accountability is clearly devolved and accepted elsewhere. Any decisions to be made in respect of uncertain tax issues are subject to diligent professional care and judgement by the tax team but also after consulting with and justifying the decision with local and international management teams. In those situations where the level of uncertainty is high the tax department will utilize outside advisors to help evaluate the risks.
The Company manages tax costs through maximizing the tax efficiency of business transactions. This includes taking advantage of available tax incentives and exemptions. This is done in a way that is aligned with the Company’s commercial objectives and meets its legal obligations and ethical standards. This is also be done in a way that the Company reasonably believes is not contrary to the clear intentions of the legislation concerned.
GTT’s Approach to Tax Planning
GTT recognizes that it is responsible for paying an appropriate amount of tax in the UK. Against this GTT must balance its responsibilities to maximize its sustainable returns to shareholders. GTT will not undertake any tax planning that cannot be sustained by the commercial requirements of the group and does not have economic substance. GTT will not undertake any tax planning unless GTT believes that the strategy is compliant with tax legislation and more likely than not to succeed.
GTT’s Approach to Building and Maintaining Relationships with Tax Authorities
The Company is committed to building constructive working relationships with HMRC based on a policy of full disclosure to remove uncertainty in its business transactions and to allow the authorities to review possible risks.
Tax advice will be sought from external advisors in relation to material uncertain transactions or where the tax department does not have the level of expertise required in a particular area. Any tax opinions received are an aid to, not a replacement for, professional judgement to be exercised by the team. Where appropriate, best practice solutions will be sought or such issue may be discussed with HMRC, as the best way to avoid costly disputes is to reach a consensus on issues in advance.
Q. Who does the GDPR affect?
A. The General Data Protection Regulation (GDPR) not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Q. What are the penalties for non-compliance?
A. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors -- meaning the GDPR subjects data processors to direct liability in certain circumstances, for example in relation to a data security breach and joint liability to data subjects where the data controller is at fault.
Q. What constitutes personal data?
A. Any information related to a person , that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q. Is Interoute GDPR certified?
A. No organisation can be GDPR certified. GDPR isn’t a certification scheme, standard or framework that any organisation can certify against. GDPR is a regulation which, if in scope, organisations must comply with.
Q. How does Interoute comply with GDPR?
A. Our customers choose to work with us because a fundamental pillar for the success of our business is our robust data privacy framework. It ensures compliance with current privacy and data protection laws and encourages a culture of best practice when it comes to handling data. At Interoute we are currently compliant with the ePrivacy Directive (the Privacy and Electronic Communications (EC Directive) Regulations 2003, also known as PECR under English Law). While GDPR requires an additional layer of process and documentation surrounding data processing activities, because we have continuously invested in protecting customer data, our products and services are either already GDPR compliant or on track to be so with time to spare for the May 2018 deadline. Interoute applies what we consider to be state of the art technology to secure the data that we hold on behalf of our customers. By further implementing detailed policies, procedures, and processes that are certified as compliant with the most rigorous industry accepted data security standards, we are fully committed to providing compliant, multi-jurisdictional, segregated and secure solutions for all our customers.
Interoute is also aligned with multiple well-known certification schemes such as ISO27001 and PCI-DSS. Interoute is committed to adhering to these standards and applies robust technical, physical and cyber security controls.
Q. How does Interoute carry out key technical aspects of GDPR, such as ‘privacy by design’ or data privacy impact assessments (DPIA)?
A. Interoute carries out data privacy impact assessments on all aspects of its business, both internally and for products used by our customers. Interoute applies privacy by design via governance processes such as architecture boards and as a key milestone at the beginning of every project.
Q. Can my solution or service from Interoute be tailored for my organisation’s GDPR compliance needs?
A. Yes, Interoute can tailor any bespoke service for our customers’ requirements and to meet GDPR. We have several cyber security offerings that can help our customers achieve a strong level of cyber security maturity, and with it, GDPR compliance.