GDPR came into place on May 25, 2018 and is a regulation that protects an individual’s rights with regard to personal data and privacy of data linked to them.
As a organisation with a large European footprint, GTT takes GDPR very seriously and has stringent security controls that comply with GDPR. We follow the regulation's guidance itself, and are also aligned with internationally recognised security methodologies, frameworks, and standards.
You can find our full security and compliance section below.
Most standards and frameworks for information security focus on people, processes and technology. Additionally, the same standards have specific controls relating to the physical security of assets used to store or access information. Find out more about GDPR and how we comply by reading our FAQs below.
ISO27001 is an internationally renowned standard viewed as a benchmark by most organisations and security professionals. The ISO27001 standard contains the core security controls that other standards use as a base. GTT holds ISO27001: 2013 compliance at multiple locations, please view the certifications list for further information.
The ISO27001 series focuses on the entire information security stack. All information security aspects surrounding the core elements of people, process, organisation and technology are considered. It also has specific controls around physical security which relate to physical access to assets that have information stored on them, or that can be used to access the information itself.
That standard itself is fundamentally centered around the deployment of an Information Security Management System (ISMS) which helps to ensure that an organisation understands its information security posture and drives to continually improve it.
GTT uses a continuous security improvement approach to all information security objectives. This includes the continuous identification, grading, control and maintenance of risks. The GTT lifecycle is based upon the Edward Deming Plan, Do, Check and Act (PDCA) lifecycle which is internationally recognised and used by numerous standards and frameworks.
GTT is assessed and regularly audited by independent third parties against the ISO27000 standard to ensure that high standards are maintained continuously.
SSAE stands for “Statement on Standards for Attestation Engagements” which is an American standard with wide international acceptance. ISAE stands for "International Standard for Assurance Engagements". SOC stands for “Service Organisation Control”. SOC1 and SOC2 service auditor reports are provided by independent third parties against defined standards.
SOC1 audits are performed against an American standard called SSAE 16. A SOC1 report, also known as an SSAE 16 report, examines the Controls of a Service Organisation which are relevant to a user entity’s internal control over financial reporting. A SOC 1 audit report is on controls related to the protection of financial statements. It is specifically intended to meet the needs of customers who require assurance on the effectiveness of the controls at the service organisation on the customers’ financial statements. This report is only likely to be relevant to those service providers that offer financial reporting services.
A SOC2 report, also known as an ISAE 3402 report, is an audit report on defined control areas and as such is not focused so specifically on the needs of user entities in relation to financial reporting. GTT’s SOC2 report covers controls relevant to security, availability and confidentiality. SOC 2 audits are performed against American standards known as the Trust Services and AT 101.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard governed by the PCI Security Standards Council. The Council was founded by the major payment brands - American Express, Discover, Visa, JCB and MasterCard. Its goal is to develop and maintain common standards which encourage cardholder data security and to facilitate broad adoption of consistent data security measures across the industry.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.
If you want to request the GTT VDC PCI DSS Attestation of Compliance (AOC) and Responsibility Model, please contact us using the details at the top of this page.
BSI Grundschutz is a certificate which is based on the ISO 27001 standard. It ensures further precise controls are applied above ISO 27001 Information Security System (ISMS). The guidelines for the BSI Grundschutz certificate and how the certificate is gained are directly defined by the German authority Bundesamt für Sicherheit in der Informationstechnik (BSI).
Security based on BSI Grundschutz is important to GTT and provides assurance to customers that their colocation services are adequately protected against risks to the confidentiality, integrity and availability of information.
GTT is committed to BSI Grundschutz as a valued service to our premium hosting and colocation customers.
FINMA is Switzerland’s independent financial-markets regulator. FINMA requires that where financial institutions outsource elements of their IT, the outsourced services adhere to specific guidelines.
GTT’s FINMA report provides assurance from a third-party auditor that controls advised by FINMA for outsourced services are in place and operating appropriately.
The Public Services Network (PSN) is the UK government’s high-performance network, which helps public sector organisations work together, reduce duplication and share resources. To achieve PSN compliance a service provider needs to also be certified to ISO27001 and CAS(T). PSN requires further enhanced controls than CAS(T).
PSN enables GTT to provide services to Public Sector organisations at OFFICIAL status. GTT is a Direct Network Service Provider (DNSP) and connects to the Government Conveyance Network (GCN). The GCN is at the core of the PSN. GTT is committed to PSN as a valued service for our UK government customers.
CAS(T) stands for CESG Assured Services(Telecoms) and are additional controls required over and above the ISO27001 Information Security Management System (ISMS).
These controls relate to the adequate protection of telecommunications systems and services against risks to the confidentiality, integrity and availability of information. GTT is committed to business excellence and by implementing a robust ISMS.
Quality service and customer service are important to GTT. To provide the best service for our customers, GTT made a strategic decision to adopt ISO 9001.
ISO 9001 is an internationally recognised and independent standard for Quality Management Systems (QMS). It outlines a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management within an organisation.
ISO 9001 helps GTT to put systems and processes in place to enhance our customer focus in order to improve customer satisfaction and to improve our overall quality of service, productivity and efficiency.
GTT is committed to business excellence and by implementing a robust QMS we can provide our customers an excellent service at all times.
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
This international IT service management (ITSM) standard enables IT organisations (whether in-house, outsourced or external) to ensure that their ITSM processes are aligned both with the needs of the business and with international best practice.
ISO 20000 helps organisations benchmark how they deliver managed services, measure service levels and assess their performance. It is broadly aligned with, and draws strongly on, ITIL.
ISO 14001 is an internationally recognised and independent standard for Environmental Management that has been adopted by GTT. It helps GTT to put systems and process in place to boost our environmental performance. This includes energy consumption, waste management, legal and regulatory compliance and supply chain requests.
By reducing our impact on the environment and following a more sustainable business model, we can save energy and costs, while helping to preserve the resources for future generations.
Q. Who does the GDPR affect?
A. The General Data Protection Regulation (GDPR) not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Q. What are the penalties for non-compliance?
A. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors -- meaning the GDPR subjects data processors to direct liability in certain circumstances, for example in relation to a data security breach and joint liability to data subjects where the data controller is at fault.
Q. What constitutes personal data?
A. Any information related to a person, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q. Is GTT GDPR certified?
A. GDPR is a regulation which, if in scope, organisations must comply with. At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. GTT holds an ISO 27001:2013 Information Security Management System certification and our technical and organizational measures are based on the Plan, Do, Check, Act cycle. GTT is assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained and continuously improved.
Q. How does GTT comply with GDPR?
A. Our customers choose to work with us because a fundamental pillar for the success of our business is our robust data privacy framework. It ensures compliance with current privacy and data protection laws and encourages a culture of best practice when it comes to handling data. As a telecommunications service provider we adhere to the ePrivacy Directive (Directive on privacy and electronic communications) and also follow strict country specific telecommunication legislation which sometimes may override GDPR.
GTT applies what we consider to be state of the art technology to secure the data that we hold on behalf of our customers. By further implementing detailed policies, procedures, and processes that are certified as compliant with the most rigorous industry accepted data security standards, we are fully committed to providing compliant, multi-jurisdictional, segregated and secure solutions for all our customers. GTT is also aligned with multiple well-known certification schemes such as ISO27001 and PCI-DSS. GTT is committed to adhering to these standards and applies robust technical, physical and cyber security controls.
Q. How does GTT carry out key technical aspects of GDPR, such as ‘privacy by design’ or data privacy impact assessments (DPIA)?
A. GTT carries out data privacy impact assessments on all aspects of its business, both internally and for products used by our customers. GTT applies privacy by design via governance processes such as architecture boards and as a key milestone at the beginning of every project.
Q. Can my solution or service from GTT be tailored for my organisation’s GDPR compliance needs?
A. Yes, GTT can tailor any bespoke service for our customers’ requirements and to meet GDPR. We have several cyber security offerings that can help our customers achieve a strong level of cyber security maturity, and with it, GDPR compliance.
Q. Where can I learn more about GDPR compliance in GTT. How can I request personal data protection support from GTT?