What is the GDPR?
The GDPR stands for the General Data Protection Regulation, which is a comprehensive EU data protection law, adopted in May 2016, updating the existing EU data protection law (the 1996 Data Protection Directive) to further strengthen the protection of personal data of individuals in the EU. It takes full effect on May 25, 2018.
To whom does the GDPR apply?
The GDPR applies to organizations that collect and process personal data of individuals in the EU for their own purposes, defined as Controllers by the regulation, as well as to organizations that process data on behalf of others, defined as Processors by the regulation. This is a shift from the preceding EU data protection law, which only applied to controllers.
Does GDPR apply to companies that are not based in the EU?
Yes. The GDPR applies to entities that collect or process personal data of individuals in the European Union, even if the entity is not established in the EU, for instance if the entity is offering goods and services targeted at EU data subjects or is monitoring their behaviour within the EU.
What are the resources available to me as Palo Alto Networks customer?
We have launched a GDPR Readiness Program to address our responsibilities as data controller and as data processor under GDPR.
We have updated the terms of our End User License Agreement (EULA) terms to include provisions addressing the requirements of art. 28 of the GDPR, including right of audit, data breach reporting, sub-processors, etc., so that our customers have the appropriate terms in place when Palo Alto Networks acts as their data processor. Moreover, we are making available to our existing customers that have signed a previous version of the EULA a pre-signed Data Processing Agreement they can download here
, the terms of which address the requirements of art. 28 for contracts between data controllers and data processors.
Lastly, customers that wish to conduct a data protection impact assessment of our products can find more information on how our products process personal information in our Product Privacy Data Sheets at www.paloaltonetworks.com/resources/datasheets/product-privacy-datasheets
How is Palo Alto Networks addressing cross-border data transfers under the GDPR?
Palo Alto Networks has executed intercompany agreements based on the EU approved standard contractual clauses, to support the transfer of customer data from the EU to the US.
What if customers want to keep data within the EU?
For customers that want to store their data within the EU (or another region), for certain products Palo Alto Networks regional clouds provide options to address our customers’ data location preference, while providing them our world-class security and prevention through the power of our global threat intelligence and protection.
How can Palo Alto Networks help its customers in their journey to GDPR compliance?
The GDPR requires organizations to put in places measures to secure personal data. In particular, entities are expected to determine and adopt appropriate security, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Palo Alto Networks has prepared a white paper, How the Next-Generation Security Platform Contributes to GDPR Compliance
, to outline how our platform can help. Also, our products and services provide options to configure our products so that they can be implemented in compliance with privacy principles, with customers’ policies, and with GDPR. This includes controls that allow customers to determine which data to share with Palo Alto Networks, or who can access the data, for example. For more information about the privacy impact of our products, users can review our Product Privacy Datasheets at https://www.paloaltonetworks.com/resources/datasheets/product-privacy-datasheets