Security and Compliance
General Data Protection Regulation(GDPR)
GDPR came into place in Europe on May 25, 2018 and is a regulation that protects an individual’s rights with regard to personal data and privacy of data linked to them.
As a organization with a large European footprint, GTT takes GDPR very seriously and has stringent security controls that comply with GDPR. We follow the regulation’s guidance itself, and are also aligned with internationally recognized security methodologies, frameworks, and standards.
You can find our full security and compliance section below.
Most standards and frameworks for information security focus on people, processes and technology. Additionally, the same standards have specific controls relating to the physical security of assets used to store or access information. Find out more about GDPR and how we comply by reading our FAQs below.
Security certifications
ISO 27001
ISO 27001 is an internationally renowned standard viewed as a benchmark by most organizations and security professionals. The ISO 27001 standard contains the core security controls that other standards use as a base. GTT holds ISO 27001: 2022 compliance at multiple locations, please view the certifications list for further information.
The ISO 27001 series focuses on the entire information security stack. All information security aspects surrounding the core elements of people, process, organization and technology are considered. It also has specific controls around physical security which relate to physical access to assets that have information stored on them, or that can be used to access the information itself.
The standard itself is fundamentally centered around the deployment of an Information Security Management System (ISMS) which helps to ensure that an organization understands its information security posture and drives to continually improve it.
GTT uses a continuous security improvement approach to all information security objectives. This includes the continuous identification, grading, control and maintenance of risks. The GTT lifecycle is based upon the Edward Deming Plan, Do, Check and Act (PDCA) lifecycle which is internationally recognized and used by numerous standards and frameworks.
GTT is assessed and regularly audited by independent third parties against the ISO 27001 standard to ensure that high standards are maintained continuously.
SOC 1 and SOC 2 reports
SOC stands for “Service Organization Control”. SOC1 and SOC 2 service assurance reports are provided by independent third parties (auditors) against defined control framework.
A SOC1 report examines the Controls of a Service Organization which are relevant to a user entity’s internal control over financial reporting. It is specifically intended to meet the needs of customers who require assurance on the effectiveness of the controls at the service organization on the customers’ financial statements. GTT’s SOC 1 scope includes Managed Hosting and VDC services.
A SOC 2 audit report provides detailed information and assurance about security, availability, processing integrity and confidentiality controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). GTT’s SOC 2 scope includes the SD-WAN and SIP Trunking services.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard governed by the PCI Security Standards Council. The Council was founded by the major payment brands – American Express, Discover, Visa, JCB and MasterCard. Its goal is to develop and maintain common standards which encourage cardholder data security and to facilitate broad adoption of consistent data security measures across the industry.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.
If you want to request the GTT PCI DSS Attestation of Compliance (AOC) and Responsibility Model, please contact your Account Manager.
UK public sector certifications
PSN
The Public Services Network (PSN) is the UK government’s high-performance network, which helps public sector organizations work together, reduce duplication and share resources. To achieve PSN compliance a service provider needs to also be certified to ISO 27001.
PSN enables us to provide services to Public Sector organizations at OFFICIAL status. GTT connects to the Government Conveyance Network (GCN) which is at the core of the PSN. GTT is committed to PSN as a valued service for our UK government customers.
General compliance
ISO 20000
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
This international IT service management (ITSM) standard enables IT organizations (whether in-house, outsourced or external) to ensure that their ITSM processes are aligned both with the needs of the business and with international best practice.
ISO 20000 helps organizations benchmark how they deliver managed services, measure service levels and assess their performance. It is broadly aligned with, and draws strongly on, ITIL.
GTT UK TAX STRATEGY
GTT is a global networking and security service provider for multinational organizations, simply and securely connecting people and agents to data and applications around the world.
This strategy is published in accordance with Schedule 19 of the Finance Act 2016 and is intended to comply with the duty under paragraph 22(2) of that Schedule for the financial year ending 31 December 2025. It contains the information required by paragraph 23 of Schedule 19.
GTT is committed to responsible tax behaviour and to complying fully with tax laws and regulations in all jurisdictions it operates in, including the UK. As a global organization, certain risks, including tax risks will arise and our objective is to carefully manage UK tax affairs in a manner that supports our commercial operations, maintain our reputation as a transparent and ethical organisation, and ensures that we meet our obligations as a responsible taxpayer. Given the global nature of our business, we have policies and procedures in place to ensure all transactions between legal entities of the group are conducted at arm’s length basis.
GTT’s tax department proactively seeks to minimize tax risks and employs an experienced tax team that is part of the central finance function reporting to the Chief Financial Officer (“CFO”). Regular communications and collaboration with the business, including seeking approval from the board of directors, ensures the tax risks are identified and managed timely.
The tax team, led by the Senior Vice President of Tax (“SVP of Tax”) who reports to the CFO, has a specialist tax team with relevant qualification and experience involved in the day-to-day management of tax affairs, including appropriate reliance on external tax consultants and resources. Decisions in respect of uncertain tax issues are taken with care and judgement by the tax team, in consultation with relevant business stakeholders. Where the level of uncertainty is high, the tax department will seek external advice to help evaluate the risks and take appropriate course of action.
GTT engages with tax authorities, including HM Revenue & Customs in the UK, in an open, collaborative and transparent manner seeking to provide full disclosure of relevant facts, to address any disputes to achieve certainty where available (for example, through clearances or real-time discussions) on significant or uncertain matters, but will consider litigation where there is disagreement on a point of law or interpretation.
Operation Center certificates
Prague
ISO 27001
Pune
ISO 27001
Sofia
ISO 20000
ISO 27001
ISO 22301
Nottingham
ISO 20000
ISO 27001
Who does the GDPR affect?
The General Data Protection Regulation (GDPR) not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors — meaning the GDPR subjects data processors to direct liability in certain circumstances, for example in relation to a data security breach and joint liability to data subjects where the data controller is at fault.
What constitutes personal data?
Any information related to a person, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Is GTT GDPR certified?
GDPR is a regulation which, if in scope, organizations must comply with. At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. GTT holds an ISO 27001:2022 Information Security Management System certification and our technical and organizational measures are based on the Plan, Do, Check, Act cycle. GTT is assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained and continuously improved.
How does GTT comply with GDPR?
Our customers choose to work with us because a fundamental pillar for the success of our business is our robust data privacy framework. It ensures compliance with current privacy and data protection laws and encourages a culture of best practice when it comes to handling data. As a telecommunications service provider we adhere to the ePrivacy Directive (Directive on privacy and electronic communications) and also follow strict country specific telecommunication legislation which sometimes may override GDPR.
GTT applies what we consider to be state of the art technology to secure the data that we hold on behalf of our customers. By further implementing detailed policies, procedures, and processes that are certified as compliant with the most rigorous industry accepted data security standards, we are fully committed to providing compliant, multi-jurisdictional, segregated and secure solutions for all our customers. GTT is also aligned with multiple well-known certification schemes such as ISO 27001 and PCI-DSS. GTT is committed to adhering to these standards and applies robust technical, physical and cyber security controls.
How does GTT carry out key technical aspects of GDPR, such as ‘privacy by design’ or data privacy impact assessments (DPIA)?
GTT carries out data privacy impact assessments on all aspects of its business, both internally and for products used by our customers. GTT applies privacy by design via governance processes such as architecture boards and as a key milestone at the beginning of every project.
Can my solution or service from GTT be tailored for my organization’s GDPR compliance needs?
Yes, GTT can tailor any bespoke service for our customers’ requirements and to meet GDPR. We have several cyber security offerings that can help our customers achieve a strong level of cyber security maturity, and with it, GDPR compliance.
Where can I learn more about GDPR compliance in GTT. How can I request personal data protection support from GTT?
GTT has established a Privacy Policy that we encourage our customers, employees, agents, contractors, and suppliers to read. The purpose of this Policy is to outline how GTT will collect and manage personal information in accordance with all relevant privacy legislations. GTT has a Data Protection team responsible for ensuring GDPR compliance. The Data Protection team can be contacted via e-mail to: [email protected]